View Full Version : need help w/ hard to kill trojan
Hi, find HJT and KOS logs below, and I have taken all the steps given in sticky post :angel:
I need help to complete and clean up a partly successful struggle with a nasty trojan that has bloggers me since Friday night. I think it was some kind of Bagle that suddenly made me sober as it blocked my avast and ad-aware programs, loaded some srosa.sys driver, created a dir named down in system32, populated with exe files with numbers as file name. It also created and started the files winterm.exe and hldrrr.exe, and apart from this it was not possible to run HJT or reboot into safe mode (computer just rebooted).
To make a long story short, I am a geek and tried to fix this on my own (which I of course shouldn't have done, wiser now) running different online scanner which detected this and lead me on track but of course asked for my money before fixing it :mad:, but I finally came a cross ComboFix which at first seem to have fixed it.
Then I found Spybot which alerted me to be infected with Win32.Agent.bgy and Win32.Bagle.hi, and although I clean them out in Safe Mode, run Spybot again when booting into normal and coming up clean, I then get an error message saying "[256] Detected debugger running, please close etc" which goes away by it self and when I then run Spybot again after system completed boot the same Agent.bgy and Bagle.hi is detected. I looked around and have figured out that the trojan maybe was wrapped with Thimidia or something like that.
Anyhow here is my logs as I stand now. Spybot still open w/o fixing detected infections and same with HJT.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 13:24:36, on 19/02/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Paradigma Software\Bonjour\mDNSResponder.exe
C:\Program Files\CVSNT\cvslock.exe
C:\Program Files\CVSNT\cvsservice.exe
C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\VMware\VMware Workstation\vmware-authd.exe
C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
C:\WINDOWS\system32\vmnat.exe
C:\WINDOWS\system32\vmnetdhcp.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
C:\Program Files\TortoiseSVN\bin\TSVNCache.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\VMware\VMware Workstation\vmware-tray.exe
C:\Program Files\VMware\VMware Workstation\hqtray.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: (no name) - {E24AD748-155E-4254-B674-4EDF86E7E1DF} - (no file)
O2 - BHO: Microsoft Web Test Recorder 9.0 Helper - {E31CE47F-C268-41ba-897B-B415E613947D} - C:\Program Files\Microsoft Visual Studio 9.0\Common7\IDE\PrivateAssemblies\Microsoft.VisualStudio.QualityTools.RecorderBarBHO90.dll
O2 - BHO: FlashFXP Helper for Internet Explorer - {E5A1691B-D188-4419-AD02-90002030B8EE} - C:\PROGRA~1\FlashFXP\IEFlash.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [vmware-tray] C:\Program Files\VMware\VMware Workstation\vmware-tray.exe
O4 - HKLM\..\Run: [VMware hqtray] "C:\Program Files\VMware\VMware Workstation\hqtray.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: SpeedFan.lnk.disabled
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Acrobat Assistant.lnk.disabled
O4 - Global Startup: Dispatcher.lnk.disabled
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.astrocalc.com
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1189011463281
O16 - DPF: {CAFEEFAC-0014-0001-0002-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1_02) -
O17 - HKLM\System\CCS\Services\Tcpip\..\{AB6B7C91-5A89-46B0-83B7-4A6328408ED3}: NameServer = 213.226.224.12,213.226.224.66
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Paradigma Software\Bonjour\mDNSResponder.exe
O23 - Service: CVSNT Locking Service 2.5.03.2382 (cvslock) - Unknown owner - C:\Program Files\CVSNT\cvslock.exe
O23 - Service: CVSNT Dispatch service 2.5.03.2382 (cvsnt) - March Hare Software Ltd - C:\Program Files\CVSNT\cvsservice.exe
O23 - Service: PDAgent - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
O23 - Service: PDEngine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: VMware Agent Service (ufad-ws60) - VMware, Inc. - C:\Program Files\VMware\VMware Workstation\vmware-ufad.exe
O23 - Service: VMware Authorization Service (VMAuthdService) - VMware, Inc. - C:\Program Files\VMware\VMware Workstation\vmware-authd.exe
O23 - Service: VMware DHCP Service (VMnetDHCP) - VMware, Inc. - C:\WINDOWS\system32\vmnetdhcp.exe
O23 - Service: VMware Virtual Mount Manager Extended (vmount2) - VMware, Inc. - C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
O23 - Service: VMware NAT Service - VMware, Inc. - C:\WINDOWS\system32\vmnat.exe
--
End of file - 9655 bytes
Virus scan took almost freaking 20h and report is massive, so I cleaned out all except the detected infections.
-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Tuesday, February 19, 2008 10:54:31 AM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 18/02/2008
Kaspersky Anti-Virus database records: 570665
-------------------------------------------------------------------------------
Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true
Scan Target - My Computer:
A:\
C:\
H:\
J:\
Scan Statistics:
Total number of scanned objects: 586273
Number of viruses found: 6
Number of infected objects: 15
Number of suspicious objects: 0
Duration of the scan process: 19:56:09
Infected Object Name / Virus Name / Last Action
...
C:\Documents and Settings\Joakim\My Documents\Downloads\Stardock SkinStudio Professional\SkinStudio5_Pro.exe/data0000.cab/devenv.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.ks skipped
C:\Documents and Settings\Joakim\My Documents\Downloads\Stardock SkinStudio Professional \SkinStudio5_Pro.exe/data0000.cab Infected: not-a-virus:AdWare.Win32.Virtumonde.ks skipped
C:\Documents and Settings\Joakim\My Documents\Downloads\Stardock SkinStudio Professional\SkinStudio5_Pro.exe Rsrc-Package: infected - 2 skipped
C:\Old F\dl\SQLDiff\digf287a.zip/runme.zip/runme.exe Infected: Trojan.Win32.Dialer.oi skipped
C:\Old F\dl\SQLDiff\digf287a.zip/runme.zip Infected: Trojan.Win32.Dialer.oi skipped
C:\Old F\dl\SQLDiff\digf287a.zip ZIP: infected - 2 skipped
C:\Old G\dlfiles\flashget\fgf140.exe/WISE0018.BIN/cd_clint.dll Infected: not-a-virus:AdWare.Win32.Cydoor skipped
C:\Old G\dlfiles\flashget\fgf140.exe/WISE0018.BIN Infected: not-a-virus:AdWare.Win32.Cydoor skipped
C:\Old G\dlfiles\flashget\fgf140.exe WiseSFX: infected - 2 skipped
C:\Old G\dlfiles\MailThem\igmsetup.exe/AJJ.EXE Infected: not-a-virus:AdWare.Win32.Aureate.d skipped
C:\Old G\dlfiles\MailThem\igmsetup.exe ZIP: infected - 1 skipped
C:\Old G\dlfiles\MailThem\igmsetup.exe WiseSFXDropper: infected - 1 skipped
C:\reggapps\Unisuite\hz-utx01.exe/run.exe Infected: Trojan-Downloader.Win32.Harnig.bg skipped
C:\reggapps\Unisuite\hz-utx01.exe ZIP: infected - 1 skipped
C:\WINDOWS\system32\drivers\SROSA.SYS.del Infected: Trojan-Downloader.Win32.Bagle.iw skipped
...
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
Scan process completed.
Now I touch nothing before I get instructions :santa:
steamwiz
2008-02-23, 16:33
HI
Hijackthis only has a couple of orphan reg keys to remove:-
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {E24AD748-155E-4254-B674-4EDF86E7E1DF} - (no file)
Do you really need this in your trusted sites ?
O15 - Trusted Zone: *.astrocalc.com
You do realise that putting any site in here is like giving a stranger the keys to your house, it can run anything on your computer without informing you.
RE: KAV scan log ....
It look like you have been downloading cracked programs, these nearly always come with a "little extra"
C:\Documents and Settings\Joakim\My Documents\Downloads\Stardock SkinStudio Professional\SkinStudio5_Pro.exe ... Infected with AdWare.Win32.Virtumonde.ks
-
C:\Old F\dl\SQLDiff\digf287a.zip/runme.zip/runme.exe Infected: Trojan.Win32.Dialer.oi skipped
C:\Old F\dl\SQLDiff\digf287a.zip/runme.zip Infected: Trojan.Win32.Dialer.oi skipped
This could be a legit dialer ... or a porn dialer ... if you don't know what it is, get the file checked out here :-
http://www.virustotal.com/flash/index_en.html
or just delete it.
-
C:\Old G\dlfiles\flashget\fgf140.exe
AdWare.Win32.Cydoor ... more adware - delete it
-
C:\Old G\dlfiles\MailThem\igmsetup.exe
& more to delete ... Win32.Aureate.d
-
C:\reggapps\Unisuite\hz-utx01.exe
Trojan-Downloader.Win32.Harnig.bg .. delete
-
C:\WINDOWS\system32\drivers\SROSA.SYS.del ... Infected: Trojan-Downloader.Win32.Bagle.iw skipped
delete this ...
-------
Run spybot again & post the log ...
THEN ...
Please follow these instructions for running Combofix:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
1. When finished, it will produce a logfile located at C:\ComboFix.txt.
2. Post the contents of that log in your next reply with a new hijackthis log.
Notes:
* Do not mouseclick combofix's window while it is running. That may cause your system to stall/hang.
* Disable script blocking if you have NAV installed so it will not interfere with the fix. Trojan Hunter has been reported to detect combofix as Worm.Qiv.100.
Please remember to post :-
1. Spybot log
2. C:\ComboFix.txt
steam
Thanks for finally coming at my assistance, I was just about to enter the waiting room ;-)
I will do as you said... but first, it's correct I have downloaded cracked programs, but it's not quite how it look... can I pm you with some details I don't like to be publicly visible, which also would help to solve this case?
/Y
steamwiz
2008-02-23, 17:14
Thanks for finally coming at my assistance, I was just about to enter the waiting room ;-)
I will do as you said... but first, it's correct I have downloaded cracked programs, but it's not quite how it look... can I pm you with some details I don't like to be publicly visible, which also would help to solve this case?
/Y
Sorry for the delay, I've just been working on the older posts, everyone who posted more than 4 days ago has now received a reply I'm happy to say :)
Sure Please feel free to send me a PM :)
steam
All virus junk was deleted right away, in fact it was mostly old stuff taking up HDD space anyway - I must get myself a smaller HDD to become less lazy :red: I am pretty sure my infection didn't come from there anyhow as I know were and when I got it. My Avast was taken by surprise, but infact only 2 of 32 scanners at jotty and viruscontrol did catch it when I sent up the infecting file.
As I said in my pm, I became a bit too restless after waiting for 2 days and took some steps to gather more information, both regarding the threath and what was going on inside my computer. like I have run Spybot several times and it basically goes around in circles. So I post several logs to give you proper information, basically the very first one and the last.
I have cleaned out tracking cookies, and also below the item Partizan I am pretty sure is a false positive as it belongs to RegRun which I at least think is a legitimate malware program?
17.02.2008 22:02:33 - ##### check started #####
17.02.2008 22:02:33 - ### Version: 1.5.2
17.02.2008 22:02:33 - ### Date: 17/02/2008 22:02:33
17.02.2008 22:02:34 - ##### checking bots #####
17.02.2008 22:10:20 - found: Microsoft.WindowsSecurityCenter.AntiVirusOverride Settings
17.02.2008 22:17:01 - found: Win32.Agent.bgy Settings
17.02.2008 22:17:11 - found: Win32.Bagle.hi Settings
17.02.2008 22:17:11 - found: Win32.Bagle.hi Program directory
17.02.2008 22:17:48 - found: Win32.VB.jl Settings
17.02.2008 22:17:49 - found: Win32.VB.jl Settings
17.02.2008 22:21:57 - ##### check finished #####
--- Report generated: 2008-02-17 22:21 ---
Microsoft.WindowsSecurityCenter.AntiVirusOverride: [SBI $3604910C] Settings (Registry change, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusOverride
Win32.Agent.bgy: [SBI $3FF5579E] Settings (Registry key, nothing done)
HKEY_USERS\S-1-5-21-1482476501-507921405-725345543-1003\Software\FirstRRRun
Win32.Bagle.hi: [SBI $FF44CCD9] Settings (Registry key, nothing done)
HKEY_USERS\S-1-5-21-1482476501-507921405-725345543-1003\Software\ts
Win32.Bagle.hi: [SBI $37536BC2] Program directory (Directory, nothing done)
C:\WINDOWS\system32\drivers\down\
Win32.VB.jl: [SBI $4A7DE52E] Settings (Registry key, nothing done)
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Partizan
Win32.VB.jl: [SBI $3C98DC13] Settings (Registry key, nothing done)
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Partizan
--- Spybot - Search & Destroy version: 1.5.2 (build: 20080128) ---
2008-01-28 blindman.exe (1.0.0.7)
2008-01-28 SDDelFile.exe (1.0.2.4)
2008-01-28 SDMain.exe (1.0.0.5)
2007-10-07 SDShred.exe (1.0.1.2)
2008-01-28 SDUpdate.exe (1.0.8.8)
2008-01-28 SDWinSec.exe (1.0.0.11)
2008-01-28 SpybotSD.exe (1.5.2.20)
2008-01-28 TeaTimer.exe (1.5.2.16)
2008-02-17 unins000.exe (51.49.0.0)
2008-01-28 Update.exe (1.4.0.6)
2008-01-28 advcheck.dll (1.5.4.5)
2007-04-02 aports.dll (2.1.0.0)
2007-11-17 DelZip179.dll (1.79.7.4)
2008-01-28 SDFiles.dll (1.5.1.19)
2008-01-28 SDHelper.dll (1.5.0.11)
2008-01-28 Tools.dll (2.1.3.3)
2008-02-13 Includes\Cookies.sbi (*)
2007-12-26 Includes\Dialer.sbi (*)
2008-02-13 Includes\DialerC.sbi (*)
2008-02-13 Includes\HeavyDuty.sbi (*)
2008-02-13 Includes\Hijackers.sbi (*)
2008-02-13 Includes\HijackersC.sbi (*)
2008-02-13 Includes\Keyloggers.sbi (*)
2008-02-13 Includes\KeyloggersC.sbi (*)
2004-11-29 Includes\LSP.sbi (*)
2008-02-13 Includes\Malware.sbi (*)
2008-02-13 Includes\MalwareC.sbi (*)
2007-10-24 Includes\PUPS.sbi (*)
2008-02-13 Includes\PUPSC.sbi (*)
2008-02-13 Includes\Revision.sbi (*)
2008-01-09 Includes\Security.sbi (*)
2008-02-13 Includes\SecurityC.sbi (*)
2008-02-13 Includes\Spybots.sbi (*)
2008-02-13 Includes\SpybotsC.sbi (*)
2007-11-06 Includes\Tracks.uti
2008-02-13 Includes\Trojans.sbi (*)
2008-02-13 Includes\TrojansC.sbi (*)
2007-12-24 Plugins\TCPIPAddress.dll
This first pass was done in safe mode I think, then booted normal and run again to get this:
17.02.2008 22:34:16 - ##### check started #####
17.02.2008 22:34:16 - ### Version: 1.5.2
17.02.2008 22:34:16 - ### Date: 17/02/2008 22:34:16
17.02.2008 22:34:17 - ##### checking bots #####
17.02.2008 22:47:10 - found: Win32.Agent.bgy Settings
17.02.2008 22:47:19 - found: Win32.Bagle.hi Program directory
17.02.2008 22:51:53 - ##### check finished #####
--- Report generated: 2008-02-17 22:53 ---
Win32.Agent.bgy: [SBI $3FF5579E] Settings (Registry key, fixed)
HKEY_USERS\S-1-5-21-1482476501-507921405-725345543-1003\Software\FirstRRRun
Win32.Bagle.hi: [SBI $37536BC2] Program directory (Directory, fixed)
C:\WINDOWS\system32\drivers\down\
--- Spybot - Search & Destroy version: 1.5.2 (build: 20080128) ---
2008-01-28 blindman.exe (1.0.0.7)
2008-01-28 SDDelFile.exe (1.0.2.4)
2008-01-28 SDMain.exe (1.0.0.5)
2007-10-07 SDShred.exe (1.0.1.2)
2008-01-28 SDUpdate.exe (1.0.8.8)
2008-01-28 SDWinSec.exe (1.0.0.11)
2008-01-28 SpybotSD.exe (1.5.2.20)
2008-01-28 TeaTimer.exe (1.5.2.16)
2008-02-17 unins000.exe (51.49.0.0)
2008-01-28 Update.exe (1.4.0.6)
2008-01-28 advcheck.dll (1.5.4.5)
2007-04-02 aports.dll (2.1.0.0)
2007-11-17 DelZip179.dll (1.79.7.4)
2008-01-28 SDFiles.dll (1.5.1.19)
2008-01-28 SDHelper.dll (1.5.0.11)
2008-01-28 Tools.dll (2.1.3.3)
2008-02-13 Includes\Cookies.sbi (*)
2007-12-26 Includes\Dialer.sbi (*)
2008-02-13 Includes\DialerC.sbi (*)
2008-02-13 Includes\HeavyDuty.sbi (*)
2008-02-13 Includes\Hijackers.sbi (*)
2008-02-13 Includes\HijackersC.sbi (*)
2008-02-13 Includes\Keyloggers.sbi (*)
2008-02-13 Includes\KeyloggersC.sbi (*)
2004-11-29 Includes\LSP.sbi (*)
2008-02-13 Includes\Malware.sbi (*)
2008-02-13 Includes\MalwareC.sbi (*)
2007-10-24 Includes\PUPS.sbi (*)
2008-02-13 Includes\PUPSC.sbi (*)
2008-02-13 Includes\Revision.sbi (*)
2008-01-09 Includes\Security.sbi (*)
2008-02-13 Includes\SecurityC.sbi (*)
2008-02-13 Includes\Spybots.sbi (*)
2008-02-13 Includes\SpybotsC.sbi (*)
2007-11-06 Includes\Tracks.uti
2008-02-13 Includes\Trojans.sbi (*)
2008-02-13 Includes\TrojansC.sbi (*)
2007-12-24 Plugins\TCPIPAddress.dll
to be continued...
steamwiz
2008-02-23, 22:39
HI
Microsoft.WindowsSecurityCenter.AntiVirusOverride: [SBI $3604910C] Settings (Registry change, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusOverride
This may or may not be malware related ... it could be your anti-virus claiming responsibility for monitoring itself.
-
17.02.2008 22:47:10 - found: Win32.Agent.bgy Settings
17.02.2008 22:47:19 - found: Win32.Bagle.hi Program directory
Win32.Agent.bgy: [SBI $3FF5579E] Settings (Registry key, fixed)
HKEY_USERS\S-1-5-21-1482476501-507921405-725345543-1003\Software\FirstRRRun
Would you please run Regedit & export this key :-
HKEY_USERS\S-1-5-21-1482476501-507921405-725345543-1003\Software\FirstRRRun
Then copy& paste the contents here
Win32.Bagle.hi: [SBI $37536BC2] Program directory (Directory, fixed)
C:\WINDOWS\system32\drivers\down\
these are bagle ... surprisingly it shows nothing in the "down" folder ...
-
This is from another spybot log, you will notice that spybot deletes all files in the System32\drivers\down\ folder
Win32.Agent.bgy: [SBI $3FF5579E] Einstellungen (Registrierungsdatenbank-Schlüssel, fixed)
HKEY_USERS\S-1-5-21-1009317085-2326122771-423037255-1000\Software\FirstRRRun
Win32.Bagle.hi: [SBI $FF44CCD9] Einstellungen (Registrierungsdatenbank-Schlüssel, fixed)
HKEY_USERS\S-1-5-21-1009317085-2326122771-423037255-1000\Software\ts
Win32.Bagle.hi: [SBI $37536BC2] Programm-Verzeichnis (Verzeichnis, fixed)
C:\Windows\System32\drivers\down\
Win32.Bagle.hi: [SBI $5A6A2EC7] Ausführbare Datei (Datei, fixed)
C:\Windows\System32\drivers\down\245359.exe
Win32.Bagle.hi: [SBI $5A6A2EC7] Ausführbare Datei (Datei, fixed)
C:\Windows\System32\drivers\down\280078.exe
Win32.Bagle.hi: [SBI $5A6A2EC7] Ausführbare Datei (Datei, fixed)
C:\Windows\System32\drivers\down\285765.exe
---------
Here's another bagle similar to yours, but this version has been around over 2 years
http://vil.nai.com/vil/content/v_138585.htm
--
You say you've run Combofix, bagle notoriously corrupts the headers of certain exe files, Combofix included, unless the exe is renamed first (before download) ... but you had no trouble running it ?
I'll be interested to see some of your Combofix logs ..
steam
So here we kinda start over with fresh logs. First an observation though. Last friday when this started I happened to double click that file I told you about resulting in a dialog saying "select file to crack". It was friday night :santa: and selected the file I opened somewhat puzzled, before I realized what had happened.
I emediately took preventive meassures like pulling the net cable and open Windows Task Manager where I saw these numbered.exe files popping up which I understood was crap and killed and relatively soon I also located hldrrr.exe and winterms.exe which was killed but at this stage I was still unaware of srosa.sys but possibly fast response to the situation limited the damage somehow, at least I never saw much of that in the other tread you pointed me at. I found some of the registry keys and values which I deleted, although some of the srosa stuff was hard to get rid of as it didn't help to change permissions inside of regedit and at that point I could open none of my usual security programs, nor install HJT.
Anyhow, that open dialog never showed up again, until now. Now it comes up every time I boot into normal mode. If I just leave it there nothing further seem to happen. I surely wont select any file :oops: and Cancel probably wont make much difference so I tested the X instead which result in the system takes a dive :snorkle: after a short delay. But as I said, if I just leave it open there things seem to be statusQ and I can use the system.
The very first time I "managed" to get this dialog to come back was on wednesday when I got restless and started to poke around, do some different online scans and finally was able to clean out much although after reboot the classic things came back. I then noticed there was something strange with my display driver and looking for hidden/camoflaged things I couldn't find anything else except legit things that loaded. Actually it started with me trying to install a new ATI Catalyst driver set but as the fist ATI screen loaded I got a message I needed Admin privileges (or something similar) to install. I then decided to uninstall the ATI drivers (I have a Radeon 9250) and bump down to VGA and see what happened. Before I rebooted I cleaned up the virus tracks and when the machine came up I saw no down dir and a Spybot scan came out clear - at that point I thought I had done it... but as soon as I touched the install new hardware dialog that came up for missing display driver that dialog popped up again!
Now I think it's RegRun's Anti-rootkit driver which loads early that actually forces the dialog to get up to surface instead of hiding. Anyhow, that were I am now. I will post Spybot logs right away in a new post and then run Combofix to see were it gets us. I assume I should disable RegRun then although I am a bit reluctant as I basically know how the CF will come out, it will delete the down dir and then reboot and after reboot the dir is back as well as the reg keys. Or do you have a better idea? Basically I think I have it all out, except for 1 place were it hides and reincarnate unless we can give it a final blow.
Spybot in Safe Mode
23.02.2008 19:52:32 - ##### check started #####
23.02.2008 19:52:32 - ### Version: 1.5.2
23.02.2008 19:52:32 - ### Date: 2008-02-23 19:52:32
23.02.2008 19:52:33 - ##### checking bots #####
23.02.2008 20:11:01 - found: Win32.Agent.bgy Settings
23.02.2008 20:11:17 - found: Win32.Bagle.hi Program directory
23.02.2008 20:12:14 - found: Win32.VB.jl Settings
23.02.2008 20:17:46 - ##### checking usage tracking #####
23.02.2008 20:17:46 - found: Common Dialogs History 4 files
23.02.2008 20:17:46 - found: Log Activity: ntbtlog.txt ntbtlog.txt
23.02.2008 20:17:46 - found: Log Install: setupapi.log setupapi.log
23.02.2008 20:17:46 - found: Log Shutdown: System32\wbem\logs\wbemess.log System32\wbem\logs\wbemess.log
23.02.2008 20:17:46 - found: Log Shutdown: System32\wbem\logs\wmiprov.log System32\wbem\logs\wmiprov.log
23.02.2008 20:17:47 - found: 7-Zip Folder history
23.02.2008 20:17:47 - found: 7-Zip Last used folder
23.02.2008 20:17:48 - found: Internet Explorer Typed URL list 1 files
23.02.2008 20:17:48 - found: MS Management Console Recent command list 1 files
23.02.2008 20:17:50 - found: MS Office 12.0 (Word) Recent Document List 1 files
23.02.2008 20:17:51 - found: MS Regedit Recent open key
23.02.2008 20:17:52 - found: Windows Explorer Run history 2 files
23.02.2008 20:17:52 - found: Windows Explorer Stream history 2 files
23.02.2008 20:17:52 - found: Windows Explorer User Assistant history IE 4 files
23.02.2008 20:17:52 - found: Windows Explorer User Assistant history files 19 files
23.02.2008 20:17:52 - found: Windows Explorer Last visited history 2 files
23.02.2008 20:17:52 - found: Windows Explorer Recent file global history
23.02.2008 20:17:53 - found: Cookie Cookie (5)
23.02.2008 20:17:53 - found: Cache Cache (138)
23.02.2008 20:17:53 - found: History History (22)
23.02.2008 20:17:53 - found: Cookie Cookie (20)
23.02.2008 20:17:53 - ##### check finished #####
--- Report generated: 2008-02-23 20:17 ---
Win32.Agent.bgy: [SBI $3FF5579E] Settings (Registry key, nothing done)
HKEY_USERS\S-1-5-21-1482476501-507921405-725345543-1003\Software\FirstRRRun
Win32.Bagle.hi: [SBI $37536BC2] Program directory (Directory, nothing done)
C:\WINDOWS\system32\drivers\down\
Win32.VB.jl: [SBI $4A7DE52E] Settings (Registry key, nothing done)
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Partizan
Common Dialogs: [SBI $4CDCC3D5] History (4 files) (Registry key, nothing done)
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU
Log: [SBI $4CDCC3D5] Activity: ntbtlog.txt (Backup file, nothing done)
C:\WINDOWS\ntbtlog.txt
Log: [SBI $4CDCC3D5] Install: setupapi.log (Backup file, nothing done)
C:\WINDOWS\setupapi.log
Log: [SBI $4CDCC3D5] Shutdown: System32\wbem\logs\wbemess.log (Backup file, nothing done)
C:\WINDOWS\System32\wbem\logs\wbemess.log
Log: [SBI $4CDCC3D5] Shutdown: System32\wbem\logs\wmiprov.log (Backup file, nothing done)
C:\WINDOWS\System32\wbem\logs\wmiprov.log
7-Zip: [SBI $12C3A52C] Folder history (Registry value, nothing done)
HKEY_USERS\S-1-5-21-1482476501-507921405-725345543-1003\Software\7-ZIP\FM\FolderHistory
7-Zip: [SBI $3D5692BD] Last used folder (Registry change, nothing done)
HKEY_USERS\S-1-5-21-1482476501-507921405-725345543-1003\Software\7-ZIP\FM\PanelPath0
Internet Explorer: [SBI $1E8157BE] Typed URL list (1 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-1482476501-507921405-725345543-1003\Software\Microsoft\Internet Explorer\TypedURLs
MS Management Console: [SBI $ECD50EAD] Recent command list (1 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-1482476501-507921405-725345543-1003\Software\Microsoft\Microsoft Management Console\Recent File List
MS Office 12.0 (Word): [SBI $E357B233] Recent Document List (1 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-1482476501-507921405-725345543-1003\Software\Microsoft\Office\12.0\Word\File MRU
MS Regedit: [SBI $C3B62FC1] Recent open key (Registry change, nothing done)
HKEY_USERS\S-1-5-21-1482476501-507921405-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Applets\Regedit\LastKey
Windows Explorer: [SBI $7308A845] Run history (2 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-1482476501-507921405-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU
Windows Explorer: [SBI $AA0766B5] Stream history (2 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-1482476501-507921405-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\StreamMRU
Windows Explorer: [SBI $2026AFB6] User Assistant history IE (4 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-1482476501-507921405-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{5E6AB780-7743-11CF-A12B-00AA004AE837}\Count
Windows Explorer: [SBI $6107D172] User Assistant history files (19 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-1482476501-507921405-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count
Windows Explorer: [SBI $B7EBA926] Last visited history (2 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-1482476501-507921405-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedMRU
Windows Explorer: [SBI $D20DA0AD] Recent file global history (Registry key, nothing done)
HKEY_USERS\S-1-5-21-1482476501-507921405-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs
Cookie: Cookie (5) (Cookie, nothing done)
Cache: Cache (138) (Cache, nothing done)
History: History (22) (History, nothing done)
Cookie: Cookie (20) (Cookie, nothing done)
--- Spybot - Search & Destroy version: 1.5.2 (build: 20080128) ---
2008-01-28 blindman.exe (1.0.0.7)
2008-01-28 SDDelFile.exe (1.0.2.4)
2008-01-28 SDMain.exe (1.0.0.5)
2007-10-07 SDShred.exe (1.0.1.2)
2008-01-28 SDUpdate.exe (1.0.8.8)
2008-01-28 SDWinSec.exe (1.0.0.11)
2008-01-28 SpybotSD.exe (1.5.2.20)
2008-01-28 TeaTimer.exe (1.5.2.16)
2008-02-17 unins000.exe (51.49.0.0)
2008-01-28 Update.exe (1.4.0.6)
2008-01-28 advcheck.dll (1.5.4.5)
2007-04-02 aports.dll (2.1.0.0)
2007-11-17 DelZip179.dll (1.79.7.4)
2008-01-28 SDFiles.dll (1.5.1.19)
2008-01-28 SDHelper.dll (1.5.0.11)
2008-01-28 Tools.dll (2.1.3.3)
2008-02-13 Includes\Beta.sbi (*)
2007-11-06 Includes\Beta.uti (*)
2008-02-20 Includes\Cookies.sbi (*)
2007-12-26 Includes\Dialer.sbi (*)
2008-02-20 Includes\DialerC.sbi (*)
2008-02-20 Includes\HeavyDuty.sbi (*)
2008-02-20 Includes\Hijackers.sbi (*)
2008-02-20 Includes\HijackersC.sbi (*)
2008-02-20 Includes\Keyloggers.sbi (*)
2008-02-20 Includes\KeyloggersC.sbi (*)
2004-11-29 Includes\LSP.sbi (*)
2008-02-20 Includes\Malware.sbi (*)
2008-02-20 Includes\MalwareC.sbi (*)
2008-02-20 Includes\PUPS.sbi (*)
2008-02-20 Includes\PUPSC.sbi (*)
2008-02-20 Includes\Revision.sbi (*)
2008-01-09 Includes\Security.sbi (*)
2008-02-20 Includes\SecurityC.sbi (*)
2008-02-20 Includes\Spybots.sbi (*)
2008-02-20 Includes\SpybotsC.sbi (*)
2007-11-06 Includes\Tracks.uti (*)
2008-02-20 Includes\Trojans.sbi (*)
2008-02-20 Includes\TrojansC.sbi (*)
2007-12-24 Plugins\TCPIPAddress.dll
After cleaning it automatically runs again (but only in safe mode it appears)
23.02.2008 20:22:09 - ##### check started #####
23.02.2008 20:22:09 - ### Version: 1.5.2
23.02.2008 20:22:09 - ### Date: 2008-02-23 20:22:09
23.02.2008 20:22:11 - ##### checking bots #####
23.02.2008 20:42:32 - ##### checking usage tracking #####
23.02.2008 20:42:32 - found: Common Dialogs History 4 files
23.02.2008 20:42:32 - found: Log Activity: ntbtlog.txt ntbtlog.txt
23.02.2008 20:42:32 - found: Log Install: setupapi.log setupapi.log
23.02.2008 20:42:32 - found: Log Shutdown: System32\wbem\logs\wbemess.log System32\wbem\logs\wbemess.log
23.02.2008 20:42:32 - found: Log Shutdown: System32\wbem\logs\wmiprov.log System32\wbem\logs\wmiprov.log
23.02.2008 20:42:32 - found: 7-Zip Folder history
23.02.2008 20:42:32 - found: 7-Zip Last used folder
23.02.2008 20:42:32 - found: Internet Explorer Typed URL list 1 files
23.02.2008 20:42:33 - found: MS Management Console Recent command list 1 files
23.02.2008 20:42:35 - found: MS Office 12.0 (Word) Recent Document List 1 files
23.02.2008 20:42:35 - found: MS Regedit Recent open key
23.02.2008 20:42:35 - found: Windows Explorer Run history 2 files
23.02.2008 20:42:35 - found: Windows Explorer Stream history 2 files
23.02.2008 20:42:35 - found: Windows Explorer User Assistant history IE 4 files
23.02.2008 20:42:35 - found: Windows Explorer User Assistant history files 19 files
23.02.2008 20:42:35 - found: Windows Explorer Last visited history 2 files
23.02.2008 20:42:35 - found: Windows Explorer Recent file global history
23.02.2008 20:42:36 - found: Cookie Cookie (5)
23.02.2008 20:42:36 - found: Cache Cache (138)
23.02.2008 20:42:36 - found: History History (22)
23.02.2008 20:42:36 - found: Cookie Cookie (20)
23.02.2008 20:42:36 - ##### check finished #####
and then comes the final report from Spybot, in next post as it's long
--- Search result list ---
Common Dialogs: [SBI $4CDCC3D5] History (4 files) (Registry key, nothing done)
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU
Log: [SBI $4CDCC3D5] Activity: ntbtlog.txt (Backup file, nothing done)
C:\WINDOWS\ntbtlog.txt
Log: [SBI $4CDCC3D5] Install: setupapi.log (Backup file, nothing done)
C:\WINDOWS\setupapi.log
Log: [SBI $4CDCC3D5] Shutdown: System32\wbem\logs\wbemess.log (Backup file, nothing done)
C:\WINDOWS\System32\wbem\logs\wbemess.log
Log: [SBI $4CDCC3D5] Shutdown: System32\wbem\logs\wmiprov.log (Backup file, nothing done)
C:\WINDOWS\System32\wbem\logs\wmiprov.log
7-Zip: [SBI $12C3A52C] Folder history (Registry value, nothing done)
HKEY_USERS\S-1-5-21-1482476501-507921405-725345543-1003\Software\7-ZIP\FM\FolderHistory
7-Zip: [SBI $3D5692BD] Last used folder (Registry change, nothing done)
HKEY_USERS\S-1-5-21-1482476501-507921405-725345543-1003\Software\7-ZIP\FM\PanelPath0
Internet Explorer: [SBI $1E8157BE] Typed URL list (1 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-1482476501-507921405-725345543-1003\Software\Microsoft\Internet Explorer\TypedURLs
MS Management Console: [SBI $ECD50EAD] Recent command list (1 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-1482476501-507921405-725345543-1003\Software\Microsoft\Microsoft Management Console\Recent File List
MS Office 12.0 (Word): [SBI $E357B233] Recent Document List (1 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-1482476501-507921405-725345543-1003\Software\Microsoft\Office\12.0\Word\File MRU
MS Regedit: [SBI $C3B62FC1] Recent open key (Registry change, nothing done)
HKEY_USERS\S-1-5-21-1482476501-507921405-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Applets\Regedit\LastKey
Windows Explorer: [SBI $7308A845] Run history (2 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-1482476501-507921405-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU
Windows Explorer: [SBI $AA0766B5] Stream history (2 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-1482476501-507921405-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\StreamMRU
Windows Explorer: [SBI $2026AFB6] User Assistant history IE (4 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-1482476501-507921405-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{5E6AB780-7743-11CF-A12B-00AA004AE837}\Count
Windows Explorer: [SBI $6107D172] User Assistant history files (19 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-1482476501-507921405-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count
Windows Explorer: [SBI $B7EBA926] Last visited history (2 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-1482476501-507921405-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedMRU
Windows Explorer: [SBI $D20DA0AD] Recent file global history (Registry key, nothing done)
HKEY_USERS\S-1-5-21-1482476501-507921405-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs
Cookie: Cookie (5) (Cookie, nothing done)
Cache: Cache (138) (Cache, nothing done)
History: History (22) (History, nothing done)
Cookie: Cookie (20) (Cookie, nothing done)
Congratulations!: No immediate threats were found. ()
--- Spybot - Search & Destroy version: 1.5.2 (build: 20080128) ---
2008-01-28 blindman.exe (1.0.0.7)
2008-01-28 SDDelFile.exe (1.0.2.4)
2008-01-28 SDMain.exe (1.0.0.5)
2007-10-07 SDShred.exe (1.0.1.2)
2008-01-28 SDUpdate.exe (1.0.8.8)
2008-01-28 SDWinSec.exe (1.0.0.11)
2008-01-28 SpybotSD.exe (1.5.2.20)
2008-01-28 TeaTimer.exe (1.5.2.16)
2008-02-17 unins000.exe (51.49.0.0)
2008-01-28 Update.exe (1.4.0.6)
2008-01-28 advcheck.dll (1.5.4.5)
2007-04-02 aports.dll (2.1.0.0)
2007-11-17 DelZip179.dll (1.79.7.4)
2008-01-28 SDFiles.dll (1.5.1.19)
2008-01-28 SDHelper.dll (1.5.0.11)
2008-01-28 Tools.dll (2.1.3.3)
2008-02-13 Includes\Beta.sbi (*)
2007-11-06 Includes\Beta.uti (*)
2008-02-20 Includes\Cookies.sbi (*)
2007-12-26 Includes\Dialer.sbi (*)
2008-02-20 Includes\DialerC.sbi (*)
2008-02-20 Includes\HeavyDuty.sbi (*)
2008-02-20 Includes\Hijackers.sbi (*)
2008-02-20 Includes\HijackersC.sbi (*)
2008-02-20 Includes\Keyloggers.sbi (*)
2008-02-20 Includes\KeyloggersC.sbi (*)
2004-11-29 Includes\LSP.sbi (*)
2008-02-20 Includes\Malware.sbi (*)
2008-02-20 Includes\MalwareC.sbi (*)
2008-02-20 Includes\PUPS.sbi (*)
2008-02-20 Includes\PUPSC.sbi (*)
2008-02-20 Includes\Revision.sbi (*)
2008-01-09 Includes\Security.sbi (*)
2008-02-20 Includes\SecurityC.sbi (*)
2008-02-20 Includes\Spybots.sbi (*)
2008-02-20 Includes\SpybotsC.sbi (*)
2007-11-06 Includes\Tracks.uti (*)
2008-02-20 Includes\Trojans.sbi (*)
2008-02-20 Includes\TrojansC.sbi (*)
2007-12-24 Plugins\TCPIPAddress.dll
--- System information ---
Windows XP (Build: 2600) Service Pack 2 (5.1.2600)
/ .NETFramework / 1.1: Microsoft .NET Framework 1.1 Hotfix (KB928366)
/ .NETFramework / 1.1: Microsoft .NET Framework 1.1 Service Pack 1 (KB867460)
/ DataAccess: Microsoft Data Access Components KB870669
/ DataAccess: Security update for Microsoft Data Access Components
/ DataAccess: Security Update for Microsoft Data Access Components
/ DirectX / DX9 / SP1: DirectX 9 Hotfix - KB839643
/ Microsoft Visual Studio 2005 Professional Edition - ENU: This service pack is for Microsoft Visual Studio 2005 Professional Edition - ENU. \n
If you later install a more recent service pack, this service pack will be uninstalled automatically. \n
For more information, visit http://support.microsoft.com/kb/926601
/ Microsoft Visual Studio 2005 Professional Edition - ENU: This Security Update is for Microsoft Visual Studio 2005 Professional Edition - ENU. \n
If you later install a more recent service pack, this Security Update will be uninstalled automatically. \n
For more information, visit http://support.microsoft.com/kb/937061
/ Windows / SP1: Microsoft Internationalized Domain Names Mitigation APIs
/ Windows / SP1: Microsoft National Language Support Downlevel APIs
/ Windows Media Format 11 SDK: Hotfix for Windows Media Format 11 SDK (KB929399)
/ Windows Media Player: Windows Media Player Hotfix [See Q828026 for more information]
/ Windows Media Player / SP0: Windows Media Player Hotfix [See wm828026 for more information]
/ Windows Media Player: Windows Media Update 817787
/ Windows Media Player: Windows Media Update 828026
/ Windows Media Player 11: Security Update for Windows Media Player 11 (KB936782)
/ Windows Media Player 11: Hotfix for Windows Media Player 11 (KB939683)
/ Windows Media Player 6.4: Security Update for Windows Media Player 6.4 (KB925398)
/ Windows Media Player 9: Security Update for Windows Media Player 9 (KB917734)
/ Windows XP: Security Update for Windows XP (KB923689)
/ Windows XP: Security Update for Windows XP (KB941569)
/ Windows XP / SP0: Security Update for Windows Internet Explorer 7 (KB937143)
/ Windows XP / SP0: Security Update for Windows Internet Explorer 7 (KB938127)
/ Windows XP / SP0: Security Update for Windows Internet Explorer 7 (KB939653)
/ Windows XP / SP0: Security Update for Windows Internet Explorer 7 (KB942615)
/ Windows XP / SP0: Security Update for Windows Internet Explorer 7 (KB944533)
/ Windows XP / SP10: Microsoft Compression Client Pack 1.0 for Windows XP
/ Windows XP / SP2: Windows XP Service Pack 2
/ Windows XP / SP3: Windows XP Hotfix - KB834707
/ Windows XP / SP3: Windows XP Hotfix - KB867282
/ Windows XP / SP3: Windows XP Hotfix - KB873333
/ Windows XP / SP3: Windows XP Hotfix - KB873339
/ Windows XP / SP3: Security Update for Windows XP (KB883939)
/ Windows XP / SP3: Windows XP Hotfix - KB885250
/ Windows XP / SP3: Windows XP Hotfix - KB885835
/ Windows XP / SP3: Windows XP Hotfix - KB885836
/ Windows XP / SP3: Windows XP Hotfix - KB886185
/ Windows XP / SP3: Windows XP Hotfix - KB887472
/ Windows XP / SP3: Windows XP Hotfix - KB887742
/ Windows XP / SP3: Windows XP Hotfix - KB888113
/ Windows XP / SP3: Windows XP Hotfix - KB888302
/ Windows XP / SP3: Security Update for Windows XP (KB890046)
/ Windows XP / SP3: Windows XP Hotfix - KB890047
/ Windows XP / SP3: Windows XP Hotfix - KB890175
/ Windows XP / SP3: Windows XP Hotfix - KB890859
/ Windows XP / SP3: Windows XP Hotfix - KB890923
/ Windows XP / SP3: Windows XP Hotfix - KB891781
/ Windows XP / SP3: Security Update for Windows XP (KB893066)
/ Windows XP / SP3: Windows XP Hotfix - KB893086
/ Windows XP / SP3: Security Update for Windows XP (KB893756)
/ Windows XP / SP3: Windows Installer 3.1 (KB893803)
/ Windows XP / SP3: Windows Installer 3.1 (KB893803)
/ Windows XP / SP3: Update for Windows XP (KB894391)
/ Windows XP / SP3: Security Update for Windows XP (KB896358)
/ Windows XP / SP3: Security Update for Windows XP (KB896422)
/ Windows XP / SP3: Security Update for Windows XP (KB896423)
/ Windows XP / SP3: Security Update for Windows XP (KB896424)
/ Windows XP / SP3: Security Update for Windows XP (KB896428)
/ Windows XP / SP3: Security Update for Windows XP (KB896688)
/ Windows XP / SP3: Update for Windows XP (KB896727)
/ Windows XP / SP3: Update for Windows XP (KB898461)
/ Windows XP / SP3: Security Update for Windows XP (KB899587)
/ Windows XP / SP3: Security Update for Windows XP (KB899588)
/ Windows XP / SP3: Security Update for Windows XP (KB899589)
/ Windows XP / SP3: Security Update for Windows XP (KB899591)
/ Windows XP / SP3: Update for Windows XP (KB900485)
/ Windows XP / SP3: Security Update for Windows XP (KB900725)
/ Windows XP / SP3: Security Update for Windows XP (KB901017)
/ Windows XP / SP3: Security Update for Windows XP (KB901214)
/ Windows XP / SP3: Security Update for Windows XP (KB902400)
/ Windows XP / SP3: Security Update for Windows XP (KB903235)
/ Windows XP / SP3: Security Update for Windows XP (KB904706)
/ Windows XP / SP3: Update for Windows XP (KB904942)
/ Windows XP / SP3: Security Update for Windows XP (KB905414)
/ Windows XP / SP3: Security Update for Windows XP (KB905749)
/ Windows XP / SP3: Security Update for Windows XP (KB905915)
/ Windows XP / SP3: Security Update for Windows XP (KB908519)
/ Windows XP / SP3: Security Update for Windows XP (KB908531)
/ Windows XP / SP3: Update for Windows XP (KB910437)
/ Windows XP / SP3: Security Update for Windows XP (KB911280)
/ Windows XP / SP3: Security Update for Windows XP (KB911562)
/ Windows XP / SP3: Security Update for Windows XP (KB911567)
/ Windows XP / SP3: Security Update for Windows XP (KB911927)
/ Windows XP / SP3: Security Update for Windows XP (KB912812)
/ Windows XP / SP3: Security Update for Windows XP (KB912919)
/ Windows XP / SP3: Security Update for Windows XP (KB913446)
/ Windows XP / SP3: Security Update for Windows XP (KB913580)
/ Windows XP / SP3: Security Update for Windows XP (KB914388)
/ Windows XP / SP3: Security Update for Windows XP (KB914389)
/ Windows XP / SP3: Hotfix for Windows XP (KB914440)
/ Windows XP / SP3: Hotfix for Windows XP (KB915800)
/ Windows XP / SP3: Hotfix for Windows XP (KB915865)
/ Windows XP / SP3: Security Update for Windows XP (KB916281)
/ Windows XP / SP3: Update for Windows XP (KB916595)
/ Windows XP / SP3: Security Update for Windows XP (KB917159)
/ Windows XP / SP3: Security Update for Windows XP (KB917344)
/ Windows XP / SP3: Security Update for Windows XP (KB917422)
/ Windows XP / SP3: Security Update for Windows XP (KB917537)
/ Windows XP / SP3: Security Update for Windows XP (KB917953)
/ Windows XP / SP3: Security Update for Windows XP (KB918118)
/ Windows XP / SP3: Security Update for Windows XP (KB918439)
/ Windows XP / SP3: Security Update for Windows XP (KB918899)
/ Windows XP / SP3: Security Update for Windows XP (KB919007)
/ Windows XP / SP3: Security Update for Windows XP (KB920213)
/ Windows XP / SP3: Security Update for Windows XP (KB920214)
/ Windows XP / SP3: Security Update for Windows XP (KB920670)
/ Windows XP / SP3: Security Update for Windows XP (KB920683)
/ Windows XP / SP3: Security Update for Windows XP (KB920685)
/ Windows XP / SP3: Update for Windows XP (KB920872)
/ Windows XP / SP3: Security Update for Windows XP (KB921398)
/ Windows XP / SP3: Security Update for Windows XP (KB921503)
/ Windows XP / SP3: Security Update for Windows XP (KB921883)
/ Windows XP / SP3: Update for Windows XP (KB922582)
/ Windows XP / SP3: Security Update for Windows XP (KB922616)
/ Windows XP / SP3: Security Update for Windows XP (KB922760)
/ Windows XP / SP3: Security Update for Windows XP (KB922819)
/ Windows XP / SP3: Security Update for Windows XP (KB923191)
/ Windows XP / SP3: Security Update for Windows XP (KB923414)
/ Windows XP / SP3: Security Update for Windows XP (KB923694)
/ Windows XP / SP3: Security Update for Windows XP (KB923980)
/ Windows XP / SP3: Security Update for Windows XP (KB924191)
/ Windows XP / SP3: Security Update for Windows XP (KB924270)
/ Windows XP / SP3: Security Update for Windows XP (KB924496)
/ Windows XP / SP3: Security Update for Windows XP (KB924667)
/ Windows XP / SP3: Security Update for Windows XP (KB925454)
/ Windows XP / SP3: Security Update for Windows XP (KB925486)
/ Windows XP / SP3: Update for Windows XP (KB925720)
/ Windows XP / SP3: Security Update for Windows XP (KB925902)
/ Windows XP / SP3: Hotfix for Windows XP (KB926239)
/ Windows XP / SP3: Security Update for Windows XP (KB926255)
/ Windows XP / SP3: Security Update for Windows XP (KB926436)
/ Windows XP / SP3: Security Update for Windows XP (KB927779)
/ Windows XP / SP3: Security Update for Windows XP (KB927802)
/ Windows XP / SP3: Update for Windows XP (KB927891)
/ Windows XP / SP3: Security Update for Windows XP (KB928090)
/ Windows XP / SP3: Security Update for Windows XP (KB928255)
/ Windows XP / SP3: Hotfix for Windows XP (KB928388)
/ Windows XP / SP3: Security Update for Windows XP (KB928843)
/ Windows XP / SP3: Security Update for Windows XP (KB929123)
/ Windows XP / SP3: Update for Windows XP (KB929338)
/ Windows XP / SP3: Security Update for Windows XP (KB929969)
/ Windows XP / SP3: Security Update for Windows XP (KB930178)
/ Windows XP / SP3: Update for Windows XP (KB930916)
/ Windows XP / SP3: Security Update for Windows XP (KB931261)
/ Windows XP / SP3: Security Update for Windows XP (KB931768)
/ Windows XP / SP3: Security Update for Windows XP (KB931784)
/ Windows XP / SP3: Update for Windows XP (KB931836)
/ Windows XP / SP3: Security Update for Windows XP (KB932168)
/ Windows XP / SP3: Update for Windows XP (KB933360)
/ Windows XP / SP3: Security Update for Windows XP (KB933566)
/ Windows XP / SP3: Security Update for Windows XP (KB933729)
/ Windows XP / SP3: Security Update for Windows XP (KB935839)
/ Windows XP / SP3: Security Update for Windows XP (KB935840)
/ Windows XP / SP3: Security Update for Windows XP (KB936021)
/ Windows XP / SP3: Update for Windows XP (KB936357)
/ Windows XP / SP3: Security Update for Windows XP (KB937143)
/ Windows XP / SP3: Security Update for Windows XP (KB937894)
/ Windows XP / SP3: Security Update for Windows XP (KB938127)
/ Windows XP / SP3: Update for Windows XP (KB938828)
/ Windows XP / SP3: Security Update for Windows XP (KB938829)
/ Windows XP / SP3: Security Update for Windows XP (KB939373)
/ Windows XP / SP3: Security Update for Windows XP (KB941202)
/ Windows XP / SP3: Security Update for Windows XP (KB941568)
/ Windows XP / SP3: Security Update for Windows XP (KB941644)
/ Windows XP / SP3: Update for Windows XP (KB942763)
/ Windows XP / SP3: Security Update for Windows XP (KB943055)
/ Windows XP / SP3: Security Update for Windows XP (KB943460)
/ Windows XP / SP3: Security Update for Windows XP (KB943485)
/ Windows XP / SP3: Security Update for Windows XP (KB944653)
/ Windows XP / SP3: Security Update for Windows XP (KB946026)
/ XML Paper Specification Shared Components Pack 1.0: XML Paper Specification Shared Components Pack 1.0
--- Startup entries list ---
Located: HK_LM:Run, @RegRunOnSecure
command: C:\PROGRA~1\Greatis\REGRUN~1\OnSecure.exe
file: C:\PROGRA~1\Greatis\REGRUN~1\OnSecure.exe
size: 57856
MD5: 6BFAFA44C356BE7E6258675AA5C11C61
Located: HK_LM:Run, avast!
command: C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
file: C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
size: 1679729
MD5: D8A1FF72BE7C6F0B1506265713550512
Located: HK_LM:Run, KernelFaultCheck
command: %systemroot%\system32\dumprep 0 -k
file: C:\WINDOWS\system32\dumprep.exe
size: 10752
MD5: 13922EB54890C77005268882629A31FE
Located: HK_LM:Run, NeroFilterCheck
command: C:\WINDOWS\system32\NeroCheck.exe
file: C:\WINDOWS\system32\NeroCheck.exe
size: 155648
MD5: 3E4C03CEFAD8DE135263236B61A49C90
Located: HK_LM:Run, RegRun WinBait
command: C:\WINDOWS\winbait.exe
file: C:\WINDOWS\winbait.exe
size: 16384
MD5: 6852D6328F97347FE611EFC51778B9D0
Located: HK_LM:Run, SoundMAXPnP
command: C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
file: C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
size: 790528
MD5: 8A6EF2D20DA01FC5934F63DE43752C1B
Located: HK_LM:Run, VMware hqtray
command: "C:\Program Files\VMware\VMware Workstation\hqtray.exe"
file: C:\Program Files\VMware\VMware Workstation\hqtray.exe
size: 56112
MD5: 15B7664C3DFD193BD8D9CE822D066E23
Located: HK_LM:Run, vmware-tray
command: C:\Program Files\VMware\VMware Workstation\vmware-tray.exe
file: C:\Program Files\VMware\VMware Workstation\vmware-tray.exe
size: 68400
MD5: 8692155C3CC033EA10D7BCC57C0B54CD
Located: HK_LM:Run, SoundMAX (DISABLED)
command: "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
file: C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
size: 585728
MD5: 5FA14654B827BC70DC14DE586DC5D493
Located: HK_LM:Run, VMware hqtray (DISABLED)
command: "C:\Program Files\VMware\VMware Workstation\hqtray.exe"
file: C:\Program Files\VMware\VMware Workstation\hqtray.exe
size: 56112
MD5: 15B7664C3DFD193BD8D9CE822D066E23
Located: HK_LM:Run, vmware-tray (DISABLED)
command: C:\Program Files\VMware\VMware Workstation\vmware-tray.exe
file: C:\Program Files\VMware\VMware Workstation\vmware-tray.exe
size: 68400
MD5: 8692155C3CC033EA10D7BCC57C0B54CD
Located: HK_CU:Run, ctfmon.exe
where: PE_C_ADMINISTRATOR...
command: C:\WINDOWS\system32\ctfmon.exe
file: C:\WINDOWS\system32\ctfmon.exe
size: 15360
MD5: 24232996A38C0B0CF151C2140AE29FC8
Located: HK_CU:Run, ctfmon.exe
where: S-1-5-21-1482476501-507921405-725345543-1003...
command: C:\WINDOWS\system32\ctfmon.exe
file: C:\WINDOWS\system32\ctfmon.exe
size: 15360
MD5: 24232996A38C0B0CF151C2140AE29FC8
Located: HK_CU:Run, Registry
where: S-1-5-21-1482476501-507921405-725345543-1003...
command: "C:\Program Files\Greatis\RegRunSuite\lsoon.exe" -1 30 "C:\Program Files\Greatis\RegRunSuite\rescue.exe" /a "J:\backreg\rstore.ini"
file: C:\Program Files\Greatis\RegRunSuite\lsoon.exe
size: 390656
MD5: D2E34D66CF273B2FA881AB5D9CF0F983
Located: HK_CU:Run, Regrun2
where: S-1-5-21-1482476501-507921405-725345543-1003...
command: C:\PROGRA~1\Greatis\REGRUN~1\WatchDog.exe
file: C:\PROGRA~1\Greatis\REGRUN~1\WatchDog.exe
size: 1679729
MD5: D8A1FF72BE7C6F0B1506265713550512
Located: HK_CU:Run, SpybotSD TeaTimer (DISABLED)
where: S-1-5-21-1482476501-507921405-725345543-1003...
command: C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
file: C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
size: 2097488
MD5: A9A5DB6AC3721BE698B996913693D73F
Located: Startup (common), Acrobat Assistant.lnk (DISABLED)
where: C:\Documents and Settings\All Users\Start Menu\Programs\Startup...
command: C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
file: C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
size: 217194
MD5: CFE5228556C93D03D6753E7953CCD4A9
Located: Startup (common), Dispatcher.lnk (DISABLED)
where: C:\Documents and Settings\All Users\Start Menu\Programs\Startup...
command: C:\Program Files\Reliable Software\Code Co-op\Dispatcher.exe
file: C:\Program Files\Reliable Software\Code Co-op\Dispatcher.exe
size: 1368064
MD5: 784E19C5A8BA2C56C77465B5C8643F5F
Located: Startup (user), ERUNT AutoBackup.lnk (DISABLED)
where: C:\Documents and Settings\Joakim\Start Menu\Programs\Startup...
command: C:\Program Files\ERUNT\AUTOBACK.EXE
file: C:\Program Files\ERUNT\AUTOBACK.EXE
size: 38912
MD5: E00DE20F0F6BED5CD2160247DDC9443B
Located: Startup (user), SpeedFan.lnk (DISABLED)
where: C:\Documents and Settings\Joakim\Start Menu\Programs\Startup...
command: C:\Program Files\SpeedFan\speedfan.exe
file: C:\Program Files\SpeedFan\speedfan.exe
size: 2902528
MD5: 72B1BA02D12BAFEC388FB80C68080529
Located: WinLogon, AtiExtEvent
command: Ati2evxx.dll
file: Ati2evxx.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!
Located: WinLogon, crypt32chain
command: crypt32.dll
file: crypt32.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!
Located: WinLogon, cryptnet
command: cryptnet.dll
file: cryptnet.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!
Located: WinLogon, cscdll
command: cscdll.dll
file: cscdll.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!
Located: WinLogon, ScCertProp
command: wlnotify.dll
file: wlnotify.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!
Located: WinLogon, Schedule
command: wlnotify.dll
file: wlnotify.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!
Located: WinLogon, sclgntfy
command: sclgntfy.dll
file: sclgntfy.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!
Located: WinLogon, SensLogn
command: WlNotify.dll
file: WlNotify.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!
Located: WinLogon, termsrv
command: wlnotify.dll
file: wlnotify.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!
Located: WinLogon, WgaLogon
command: WgaLogon.dll
file: WgaLogon.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!
Located: WinLogon, wlballoon
command: wlnotify.dll
file: wlnotify.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!
--- Browser helper object list ---
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (AcroIEHlprObj Class)
location: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
BHO name:
CLSID name: AcroIEHlprObj Class
description: Adobe Acrobat reader
classification: Legitimate
known filename: AcroIEhelper.ocx<br>AcroIEhelper.dll
info link: http://www.adobe.com/products/acrobat/readstep2.html
info source: TonyKlein
Path: C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\
Long name: AcroIEHelper.dll
Short name: ACROIE~1.DLL
Date (created): 2003-11-03 23:17:44
Date (last access): 2008-02-23 19:37:42
Date (last write): 2003-11-03 23:17:44
Filesize: 54248
Attributes: archive
MD5: FC7850324464E4D19A24A03D882B5CC4
CRC32: 452E8571
Version: 6.0.1.1091
{53707962-6F74-2D53-2644-206D7942484F} (Spybot-S&D IE Protection)
location: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
BHO name:
CLSID name: Spybot-S&D IE Protection
description: Spybot-S&D IE Browser plugin
classification: Legitimate
known filename: SDhelper.dll
info link: http://spybot.eon.net.au/
info source: Patrick M. Kolla
Path: C:\PROGRA~1\SPYBOT~1\
Long name: SDHelper.dll
Short name:
Date (created): 2008-02-17 21:53:36
Date (last access): 2008-02-23 20:42:38
Date (last write): 2008-01-28 11:43:28
Filesize: 1554256
Attributes: archive
MD5: 5248E02EFBCB64D328647CD00E384B85
CRC32: C1B426A9
Version: 1.5.0.11
{72853161-30C5-4D22-B7F9-0BBC1D38A37E} (Groove GFS Browser Helper)
location: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
BHO name:
CLSID name: Groove GFS Browser Helper
Path: C:\Program Files\Microsoft Office\Office12\
Long name: GrooveShellExtensions.dll
Short name: GRA8E1~1.DLL
Date (created): 2007-08-24 07:01:22
Date (last access): 2008-02-23 19:09:12
Date (last write): 2007-08-24 07:01:22
Filesize: 2212224
Attributes: archive
MD5: 32C4927E013C018A13D8DFBDA4148812
CRC32: 9A9F3D8B
Version: 12.0.6211.1000
{9030D464-4C02-4ABF-8ECC-5164760863C6} (Windows Live Sign-in Helper)
location: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
BHO name:
CLSID name: Windows Live Sign-in Helper
Path: C:\Program Files\Common Files\Microsoft Shared\Windows Live\
Long name: WindowsLiveLogin.dll
Short name: WINDOW~1.DLL
Date (created): 2007-09-20 10:30:18
Date (last access): 2008-02-23 20:09:18
Date (last write): 2007-09-20 10:30:18
Filesize: 328752
Attributes: archive
MD5: 59CF5BF6684AFCF906CADAD39B4214DE
CRC32: C363813C
Version: 4.200.520.1
{AE7CD045-E861-484f-8273-0445EE161910} (AcroIEToolbarHelper Class)
location: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
BHO name:
CLSID name: AcroIEToolbarHelper Class
description: Adobe Acrobat
classification: Legitimate
known filename: AcroIEFavClient.dll
info link: http://www.adobe.com/products/acrobatpro/main.html
info source: TonyKlein
Path: C:\Program Files\Adobe\Acrobat 6.0\Acrobat\
Long name: AcroIEFavClient.dll
Short name: ACROIE~1.DLL
Date (created): 2003-05-15 01:03:46
Date (last access): 2008-02-23 20:07:14
Date (last write): 2003-05-15 01:03:46
Filesize: 147456
Attributes: archive
MD5: 44BCFF08947790E74BD7CC7532D2B793
CRC32: 0C91890B
{BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} (Windows Live Toolbar Helper)
location: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
BHO name:
CLSID name: Windows Live Toolbar Helper
Path: C:\Program Files\Windows Live Toolbar\
Long name: msntb.dll
Short name:
Date (created): 2007-10-19 11:20:48
Date (last access): 2008-02-23 19:05:24
Date (last write): 2007-10-19 11:20:48
Filesize: 546320
Attributes: archive
MD5: CEE1BE1DA21300208D07FBEAE9EA2B51
CRC32: 12446524
Version: 3.1.0.146
{E31CE47F-C268-41ba-897B-B415E613947D} (Microsoft Web Test Recorder 9.0 Helper)
location: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
BHO name:
CLSID name: Microsoft Web Test Recorder 9.0 Helper
Path: C:\Program Files\Microsoft Visual Studio 9.0\Common7\IDE\PrivateAssemblies\
Long name: Microsoft.VisualStudio.QualityTools.RecorderBarBHO90.dll
Short name: MID57A~1.DLL
Date (created): 2007-11-08 08:19:22
Date (last access): 2008-02-23 19:40:40
Date (last write): 2007-11-08 08:19:22
Filesize: 64088
Attributes: archive
MD5: 351A23DAC4ABC59854E718EDF19ECF4F
CRC32: 94EE98C7
Version: 9.0.21022.8
{E5A1691B-D188-4419-AD02-90002030B8EE} (FlashFXP Helper for Internet Explorer)
location: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
BHO name:
CLSID name: FlashFXP Helper for Internet Explorer
Path: C:\PROGRA~1\FlashFXP\
Long name: IEFlash.dll
Short name:
Date (created): 2006-03-31 21:27:14
Date (last access): 2008-02-23 20:07:14
Date (last write): 2006-03-31 21:27:14
Filesize: 191096
Attributes: archive
MD5: 3507AEE207E68553606F17DB01574E60
CRC32: 7906032A
Version: 3.0.0.1015
--- ActiveX list ---
Microsoft XML Parser for Java (Microsoft XML Parser for Java)
DPF name: Microsoft XML Parser for Java
CLSID name:
Installer:
Codebase:
description:
classification: Legitimate
known filename: %WINDIR%\Java\classes\xmldso.cab
info link:
info source: Patrick M. Kolla
{05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool)
DPF name:
CLSID name: Office Genuine Advantage Validation Tool
Installer: C:\WINDOWS\Downloaded Program Files\OGAControl.inf
Codebase: http://download.microsoft.com/download/e/7/3/e7345c16-80aa-4488-ae10-9ac6be844f99/OGAControl.cab
Path: C:\WINDOWS\system32\
Long name: OGACheckControl.DLL
Short name: OGACHE~1.DLL
Date (created): 2007-03-05 13:34:28
Date (last access): 2008-02-23 19:40:42
Date (last write): 2007-06-19 12:11:08
Filesize: 676224
Attributes: archive
MD5: 7F0A75930BFD106D349EF925A080AF03
CRC32: 46CC7779
Version: 1.6.21.0
{0B79F48A-E8D6-11DB-9283-E25056D89593} (F-Secure Online Scanner 3.1)
DPF name:
CLSID name: F-Secure Online Scanner 3.1
Installer: C:\WINDOWS\Downloaded Program Files\fscax.inf
Codebase: http://support.f-secure.com/ols/fscax.cab
description:
classification: Legitimate
known filename: fscax.dll
info link:
info source: Safer Networking Ltd.
Path: C:\WINDOWS\Downloaded Program Files\
Long name: fscax.dll
Short name:
Date (created): 2007-05-07 16:39:24
Date (last access): 2008-02-23 19:40:42
Date (last write): 2007-05-07 16:39:24
Filesize: 254360
Attributes: archive
MD5: D5199825510E4C4F97DC93B7BC3B1A8A
CRC32: 9FA45099
Version: 3.1.0.5
{0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object)
DPF name:
CLSID name: CKAVWebScan Object
Installer: C:\WINDOWS\Downloaded Program Files\kavwebscan.inf
Codebase: http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
description:
classification: Legitimate
known filename:
info link:
info source: Safer Networking Ltd.
Path: C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\
Long name: kavwebscan.dll
Short name: KAVWEB~1.DLL
Date (created): 2007-08-29 15:49:54
Date (last access): 2008-02-23 12:54:30
Date (last write): 2007-08-29 15:49:54
Filesize: 950272
Attributes: archive
MD5: BC915C49931CE46222F9B0A7EFB56CEE
CRC32: 11048171
Version: 5.0.98.0
{193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control)
DPF name:
CLSID name: ewidoOnlineScan Control
Installer:
Codebase: http://downloads.ewido.net/ewidoOnlineScan.cab
description:
classification: Legitimate
known filename: EWIDOO~1.DLL
info link:
info source: Safer Networking Ltd.
Path: C:\WINDOWS\DOWNLO~1\
Long name: ewidoOnlineScan.dll
Short name: EWIDOO~1.DLL
Date (created): 2006-07-11 09:41:36
Date (last access): 2008-02-23 19:40:42
Date (last write): 2006-07-11 09:41:36
Filesize: 345656
Attributes: archive
MD5: B284992540E0FA2B76DEA56F93D49A16
CRC32: FD2E709C
Version: 1.0.0.4
{56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control)
DPF name:
CLSID name: OnlineScanner Control
Installer: C:\WINDOWS\Downloaded Program Files\OnlineScanner.inf
Codebase: http://www.eset.eu/buxus/docs/OnlineScanner.cab
Path: C:\WINDOWS\system32\
Long name: OnlineScanner.ocx
Short name: ONLINE~1.OCX
Date (created): 2008-02-11 09:40:08
Date (last access): 2008-02-23 19:40:42
Date (last write): 2008-02-11 09:40:08
Filesize: 2715648
Attributes: archive
MD5: 8A41731096C2ECD10568DDB8F0F90498
CRC32: 5CE9D28A
Version: 1.0.0.635
{5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module)
DPF name:
CLSID name: Windows Live Safety Center Base Module
Installer: C:\WINDOWS\Downloaded Program Files\wlscBase.inf
Codebase: http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase370.cab
description:
classification: Legitimate
known filename: wlscBase.dll
info link:
info source: Safer Networking Ltd.
Path: C:\WINDOWS\Downloaded Program Files\
Long name: wlscBase.dll
Short name:
Date (created): 2008-01-21 21:34:22
Date (last access): 2008-02-23 19:40:42
Date (last write): 2008-01-21 21:34:22
Filesize: 465472
Attributes: archive
MD5: 66D7300A615CA949EF495270D2DA15E2
CRC32: B3EEF44F
Version: 1.7.370.1
{6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class)
DPF name:
CLSID name: MUWebControl Class
Installer: C:\WINDOWS\Downloaded Program Files\muweb.inf
Codebase: http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1189011463281
description:
classification: Legitimate
known filename: muweb.dll
info link:
info source: Safer Networking Ltd.
Path: C:\WINDOWS\system32\
Long name: muweb.dll
Short name:
Date (created): 2007-07-30 18:18:34
Date (last access): 2008-02-23 19:45:32
Date (last write): 2007-07-30 18:18:34
Filesize: 207736
Attributes: archive
MD5: 8038B166CE79E58E193566150CE26465
CRC32: 9137D395
Version: 7.0.6000.381
{C7DB51B4-BCF7-4923-8874-7F1A0DC92277} (Office Update Installation Engine)
DPF name:
CLSID name: Office Update Installation Engine
Installer: C:\WINDOWS\Downloaded Program Files\opuc.inf
Codebase: http://office.microsoft.com/officeupdate/content/opuc4.cab
description:
classification: Legitimate
known filename: opuc.dll
info link:
info source: Safer Networking Ltd.
Path: C:\WINDOWS\
Long name: opuc.dll
Short name:
Date (created): 2007-10-22 10:57:52
Date (last access): 2008-02-23 19:40:42
Date (last write): 2007-10-22 10:57:52
Filesize: 524288
Attributes: archive
MD5: F1ED50F66FEF8F56E06F087AA1CE3629
CRC32: CD8AE024
Version: 12.0.5543.1000
--- Process list ---
PID: 0 ( 0) [System]
PID: 144 ( 4) \SystemRoot\System32\smss.exe
size: 50688
PID: 212 ( 144) \??\C:\WINDOWS\system32\csrss.exe
size: 6144
PID: 236 ( 144) \??\C:\WINDOWS\system32\winlogon.exe
size: 502272
PID: 280 ( 236) C:\WINDOWS\system32\services.exe
size: 108032
MD5: C6CE6EEC82F187615D1002BB3BB50ED4
PID: 292 ( 236) C:\WINDOWS\system32\lsass.exe
size: 13312
MD5: 84885F9B82F4D55C6146EBF6065D75D2
PID: 448 ( 280) C:\WINDOWS\system32\svchost.exe
size: 14336
MD5: 8F078AE4ED187AAABC0A305146DE6716
PID: 512 ( 280) C:\WINDOWS\system32\svchost.exe
size: 14336
MD5: 8F078AE4ED187AAABC0A305146DE6716
PID: 580 ( 280) C:\WINDOWS\system32\svchost.exe
size: 14336
MD5: 8F078AE4ED187AAABC0A305146DE6716
PID: 824 ( 796) C:\WINDOWS\Explorer.EXE
size: 1033216
MD5: 97BD6515465659FF8F3B7BE375B2EA87
PID: 1048 ( 824) C:\Program Files\TortoiseSVN\bin\TSVNCache.exe
size: 405504
MD5: A7E1BDD605277ABAD6603E6854270042
PID: 1176 (1160) C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
size: 5146448
MD5: 2ECA8CDEED7C82F879E766DA92A3561A
PID: 4 ( 0) System
--- Browser start & search pages list ---
Spybot - Search & Destroy browser pages report, 2008-02-23 20:44:58
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Local Page
C:\WINDOWS\system32\blank.htm
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Search Page
http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Start Page
about:blank
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Local Page
%SystemRoot%\system32\blank.htm
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Search Page
http://go.microsoft.com/fwlink/?LinkId=54896
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Start Page
http://go.microsoft.com/fwlink/?LinkId=69157
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Default_Page_URL
http://go.microsoft.com/fwlink/?LinkId=69157
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Default_Search_URL
http://go.microsoft.com/fwlink/?LinkId=54896
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Search\SearchAssistant
http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Search\CustomizeSearch
http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
--- Winsock Layered Service Provider list ---
Protocol 0: MSAFD Tcpip [TCP/IP]
GUID: {E70F1AA0-AB8B-11CF-8CA3-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP IP protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD Tcpip
Protocol 1: MSAFD Tcpip [UDP/IP]
GUID: {E70F1AA0-AB8B-11CF-8CA3-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP IP protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD Tcpip
Protocol 2: MSAFD Tcpip [RAW/IP]
GUID: {E70F1AA0-AB8B-11CF-8CA3-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP IP protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD Tcpip
Protocol 3: RSVP UDP Service Provider
GUID: {9D60A9E0-337A-11D0-BD88-0000C082E69A}
Filename: %SystemRoot%\system32\rsvpsp.dll
Description: Microsoft Windows NT/2k/XP RVSP
DB filename: %SystemRoot%\system32\rsvpsp.dll
DB protocol: RSVP * Service Provider
Protocol 4: RSVP TCP Service Provider
GUID: {9D60A9E0-337A-11D0-BD88-0000C082E69A}
Filename: %SystemRoot%\system32\rsvpsp.dll
Description: Microsoft Windows NT/2k/XP RVSP
DB filename: %SystemRoot%\system32\rsvpsp.dll
DB protocol: RSVP * Service Provider
Protocol 5: MSAFD RfComm
GUID: {9FC48064-7298-43E4-B7BD-181F2089792A}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Bluetooth
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD RfComm [Bluetooth]
Protocol 6: MSAFD NetBIOS [\Device\NetBT_Tcpip_{AC9ACD80-8B62-44CA-9C9F-180588B8ACDD}] SEQPACKET 6
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *
Protocol 7: MSAFD NetBIOS [\Device\NetBT_Tcpip_{AC9ACD80-8B62-44CA-9C9F-180588B8ACDD}] DATAGRAM 6
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *
Protocol 8: MSAFD NetBIOS [\Device\NetBT_Tcpip_{7EB7E0A6-747D-41E5-B3E9-51B238242A17}] SEQPACKET 5
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *
Protocol 9: MSAFD NetBIOS [\Device\NetBT_Tcpip_{7EB7E0A6-747D-41E5-B3E9-51B238242A17}] DATAGRAM 5
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *
Protocol 10: MSAFD NetBIOS [\Device\NetBT_Tcpip_{AB6B7C91-5A89-46B0-83B7-4A6328408ED3}] SEQPACKET 0
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *
Protocol 11: MSAFD NetBIOS [\Device\NetBT_Tcpip_{AB6B7C91-5A89-46B0-83B7-4A6328408ED3}] DATAGRAM 0
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *
Protocol 12: MSAFD NetBIOS [\Device\NetBT_Tcpip_{BE5D971E-ABC2-4BEE-9C80-BAE2A10D8C86}] SEQPACKET 1
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *
Protocol 13: MSAFD NetBIOS [\Device\NetBT_Tcpip_{BE5D971E-ABC2-4BEE-9C80-BAE2A10D8C86}] DATAGRAM 1
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *
Protocol 14: MSAFD NetBIOS [\Device\NetBT_Tcpip_{4B98A9D0-0CE3-45B2-9972-AFF344D2021A}] SEQPACKET 2
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *
Protocol 15: MSAFD NetBIOS [\Device\NetBT_Tcpip_{4B98A9D0-0CE3-45B2-9972-AFF344D2021A}] DATAGRAM 2
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *
Protocol 16: MSAFD NetBIOS [\Device\NetBT_Tcpip_{CBD9838C-BC86-4C69-A2EC-E0194C37955F}] SEQPACKET 3
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *
Protocol 17: MSAFD NetBIOS [\Device\NetBT_Tcpip_{CBD9838C-BC86-4C69-A2EC-E0194C37955F}] DATAGRAM 3
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *
Protocol 18: MSAFD NetBIOS [\Device\NetBT_Tcpip_{A315DF94-269F-4F6F-B4FD-1903A31FA824}] SEQPACKET 4
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *
Protocol 19: MSAFD NetBIOS [\Device\NetBT_Tcpip_{A315DF94-269F-4F6F-B4FD-1903A31FA824}] DATAGRAM 4
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *
Namespace Provider 0: Tcpip
GUID: {22059D40-7E9E-11CF-AE5A-00AA00A7112B}
Filename: %SystemRoot%\System32\mswsock.dll
Description: Microsoft Windows NT/2k/XP TCP/IP name space provider
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: TCP/IP
Namespace Provider 1: NTDS
GUID: {3B2637EE-E580-11CF-A555-00C04FD8D4AC}
Filename: %SystemRoot%\System32\winrnr.dll
Description: Microsoft Windows NT/2k/XP name space provider
DB filename: %SystemRoot%\system32\winrnr.dll
DB protocol: NTDS
Namespace Provider 2: Network Location Awareness (NLA) Namespace
GUID: {6642243A-3BA8-4AA6-BAA5-2E0BD71FDD83}
Filename: %SystemRoot%\System32\mswsock.dll
Description: Microsoft Windows NT/2k/XP name space provider
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: NLA-Namespace
Namespace Provider 3: Bluetooth Namespace
GUID: {06AA63E0-7D60-41FF-AFB2-3EE6D2D9392D}
Filename: %SystemRoot%\system32\wshbth.dll
Description: Bluetooth
DB filename: %SystemRoot%\system32\wshbth.dll
DB protocol: Bluetooth-Namespace
[B]Done with Spybot
Windows Registry Editor Version 5.00
[HKEY_USERS\S-1-5-21-1482476501-507921405-725345543-1003\Software\FirstRRRun]
"First12Ru123n"=dword:00000001
that's all in that key, I will post some of my backed up ComboFix logs next.
There are more registry values I have found though that gets recreated, basically variants of some from that other case (which I been too busy with logs to look fully at yet). Do you want me to export these as well?
ComboFix 08-02-20.2 - Joakim 2008-02-20 1:53:02.5 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1518 [GMT 1:00]
Running from: C:\Documents and Settings\Joakim\Desktop\ComboFix.exe
* Created a new restore point
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\WINDOWS\system32\drivers\down
.
((((((((((((((((((((((((( Files Created from 2008-01-20 to 2008-02-20 )))))))))))))))))))))))))))))))
.
2008-02-19 23:37 . 2008-02-19 23:37 250 --a------ C:\WINDOWS\gmer.ini
2008-02-18 14:02 . 2008-02-18 14:02 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-02-18 14:02 . 2008-02-18 14:02 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-02-18 10:44 . 2008-02-18 10:44 <DIR> d-------- C:\Program Files\Trend Micro
2008-02-18 10:39 . 2008-02-18 10:39 812,344 --a------ C:\temp\HJTInstall.exe
2008-02-18 00:53 . 2008-02-18 00:53 2,062,665 --a------ C:\temp\spywareguardsetup.exe
2008-02-18 00:42 . 2008-02-18 00:43 2,566,736 --a------ C:\temp\spywareblastersetup351.exe
2008-02-17 23:14 . 2008-02-17 23:13 15,852,952 --a------ C:\temp\jre-6u4-windows-i586-p.exe.exe
2008-02-17 21:53 . 2008-02-17 21:53 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-02-17 21:53 . 2008-02-17 21:54 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-02-17 21:02 . 2002-09-20 10:53 235,100 --a------ C:\WINDOWS\system32\drivers\MidiSyn.sys
2008-02-17 21:01 . 2008-02-17 21:01 <DIR> d-------- C:\WINDOWS\VirtualEar
2008-02-17 21:01 . 2008-02-17 21:01 <DIR> d-------- C:\Program Files\Analog Devices
2008-02-17 21:01 . 2001-09-11 15:20 1,285,632 --a------ C:\WINDOWS\system32\SMMedia.dll
2008-02-17 21:01 . 2001-09-19 13:47 765,952 --a------ C:\WINDOWS\system\crlds3d.dll
2008-02-17 21:01 . 2001-09-19 13:47 720,896 --a------ C:\WINDOWS\system32\Audio3d.dll
2008-02-17 21:01 . 2003-06-02 13:42 578,304 --a------ C:\WINDOWS\system32\drivers\smwdm.sys
2008-02-17 21:01 . 2003-03-13 18:34 100,224 --a------ C:\WINDOWS\system32\drivers\aeaudio.sys
2008-02-17 21:01 . 2003-01-08 11:23 49,152 --a------ C:\WINDOWS\system32\DSndUp.exe
2008-02-17 21:01 . 2002-04-17 15:05 45,056 --a------ C:\WINDOWS\system32\CleanUp.exe
2008-02-17 21:01 . 2001-09-11 15:20 30,208 --a------ C:\WINDOWS\system32\wdmioctl.dll
2008-02-17 21:01 . 2003-03-13 15:40 3,744 --a------ C:\WINDOWS\system32\drivers\smsens.sys
2008-02-17 20:34 . 2008-02-18 23:21 <DIR> d-------- C:\temp\WinLicenseDemo
2008-02-17 18:53 . 2008-02-17 18:53 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-02-17 16:44 . 2007-12-04 14:04 837,496 --a------ C:\WINDOWS\system32\aswBoot.exe
2008-02-17 16:44 . 2007-12-04 13:54 95,608 --a------ C:\WINDOWS\system32\AvastSS.scr
2008-02-17 16:44 . 2007-12-04 15:55 94,544 --a------ C:\WINDOWS\system32\drivers\aswmon2.sys
2008-02-17 16:44 . 2007-12-04 15:56 93,264 --a------ C:\WINDOWS\system32\drivers\aswmon.sys
2008-02-17 16:44 . 2007-12-04 15:51 42,912 --a------ C:\WINDOWS\system32\drivers\aswTdi.sys
2008-02-17 16:44 . 2007-12-04 15:49 26,624 --a------ C:\WINDOWS\system32\drivers\aavmker4.sys
2008-02-17 16:44 . 2007-12-04 15:53 23,152 --a------ C:\WINDOWS\system32\drivers\aswRdr.sys
2008-02-17 13:35 . 2008-02-17 13:35 55 --a------ C:\WINDOWS\regrunfix.rnr
2008-02-17 03:58 . C:\WINDOWS\(2) C:\ComboFix\winstart.bat
2008-02-16 23:10 . 2008-02-16 23:12 <DIR> d-------- C:\Documents and Settings\Joakim\Application Data\PrevxCSI
2008-02-16 09:09 . 2008-02-16 21:37 <DIR> d-------- C:\WINDOWS\BDOSCAN8
2008-02-15 16:31 . 2008-02-17 14:18 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2008-02-15 16:30 . 2008-02-15 22:55 <DIR> d-------- C:\Documents and Settings\Joakim\.housecall6.6
2008-02-15 15:20 . 2008-02-17 22:57 <DIR> d-------- C:\Program Files\Trojan Remover
2008-02-15 15:20 . 2008-02-15 15:20 <DIR> d-------- C:\Documents and Settings\Joakim\Application Data\Simply Super Software
2008-02-15 15:20 . 2008-02-15 15:20 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Simply Super Software
2008-02-15 15:20 . 2006-05-25 14:52 162,304 --a------ C:\WINDOWS\system32\ztvunrar36.dll
2008-02-15 15:20 . 2003-02-02 19:06 153,088 --a------ C:\WINDOWS\system32\UNRAR3.dll
2008-02-15 15:20 . 2005-08-26 00:50 77,312 --a------ C:\WINDOWS\system32\ztvunace26.dll
2008-02-15 15:20 . 2002-03-06 00:00 75,264 --a------ C:\WINDOWS\system32\unacev2.dll
2008-02-15 15:20 . 2006-06-19 12:01 69,632 --a------ C:\WINDOWS\system32\ztvcabinet.dll
2008-02-15 00:12 . 2008-02-15 00:11 407,680 --a------ C:\temp\aswclnr.exe
2008-02-14 22:43 . 2008-02-17 15:49 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-02-14 22:27 . 2008-02-14 22:38 21,364,592 --a------ C:\temp\aaw2007.exe
2008-02-14 22:22 . 2008-02-14 22:22 17,255,626 --a------ C:\temp\WinLicenseDemo.zip
2008-02-14 12:41 . 2008-02-14 12:41 499,712 --a------ C:\WINDOWS\system32\ExSlider.dll
2008-02-14 12:41 . 2008-02-14 12:41 203,488 --a------ C:\WINDOWS\system32\ExSlider.chm
2008-02-14 12:40 . 2008-02-14 12:40 573,440 --a------ C:\WINDOWS\system32\ExStatusBar.dll
2008-02-14 12:40 . 2008-02-14 12:40 436,674 --a------ C:\WINDOWS\system32\ExStatusBar.chm
2008-02-14 12:39 . 2008-02-14 12:39 434,176 --a------ C:\WINDOWS\system32\ExThumbnail.dll
2008-02-14 12:34 . 2008-02-14 12:34 331,776 --a------ C:\WINDOWS\system32\ExTexture.dll
2008-02-14 12:34 . 2008-02-14 12:34 102,224 --a------ C:\WINDOWS\system32\ExTexture.chm
2008-02-14 12:31 . 2008-02-14 12:31 172,032 --a------ C:\WINDOWS\system32\MaskEdit.dll
2008-02-14 12:31 . 2008-02-14 12:31 53,672 --a------ C:\WINDOWS\system32\MaskEdit.chm
2008-02-14 12:28 . 2008-02-14 12:28 <DIR> d-------- C:\Program Files\Copy of EXECryptor
2008-02-13 14:50 . 2008-02-13 14:50 389,120 --a------ C:\WINDOWS\system32\ExCalc.dll
2008-02-13 14:50 . 2008-02-13 14:50 84,478 --a------ C:\WINDOWS\system32\ExCalc.chm
2008-02-13 14:42 . 2008-02-13 14:42 479,232 --a------ C:\WINDOWS\system32\ExRolList.dll
2008-02-13 14:42 . 2008-02-13 14:42 210,902 --a------ C:\WINDOWS\system32\ExRolList.CHM
2008-02-13 14:03 . 2008-02-13 14:03 225,280 --a------ C:\WINDOWS\system32\ExShellView.dll
2008-02-13 14:03 . 2008-02-13 14:03 83,770 --a------ C:\WINDOWS\system32\ExShellView.chm
2008-02-13 13:58 . 2008-02-13 13:58 397,312 --a------ C:\WINDOWS\system32\ExFolderView.dll
2008-02-13 13:58 . 2008-02-13 13:58 117,644 --a------ C:\WINDOWS\system32\ExFolderView.chm
2008-02-13 13:52 . 2008-02-13 14:09 286,720 --a------ C:\WINDOWS\system32\ExToolTip.dll
2008-02-13 13:52 . 2008-02-13 14:09 119,264 --a------ C:\WINDOWS\system32\ExToolTip.chm
2008-02-13 13:34 . 2008-02-13 13:34 438,272 --a------ C:\WINDOWS\system32\ExLabel.dll
2008-02-13 13:34 . 2008-02-13 13:34 152,774 --a------ C:\WINDOWS\system32\ExLabel.chm
2008-02-12 20:09 . 2008-02-12 20:09 1,995,825 --a------ C:\WINDOWS\system32\ExGantt.chm
2008-02-12 20:09 . 2008-02-12 20:09 1,486,848 --a------ C:\WINDOWS\system32\ExGantt.dll
2008-02-12 20:05 . 2008-02-12 20:05 634,880 --a------ C:\WINDOWS\system32\ExCalendar.dll
2008-02-12 20:05 . 2008-02-12 20:05 460,734 --a------ C:\WINDOWS\system32\ExCalendar.chm
2008-02-12 19:56 . 2008-02-12 19:56 2,680,120 --a------ C:\WINDOWS\system32\ExG2antt.chm
2008-02-12 19:56 . 2008-02-12 19:56 1,933,312 --a------ C:\WINDOWS\system32\ExG2antt.dll
2008-02-12 10:16 . 2008-02-12 10:16 <DIR> d-------- C:\Program Files\QuickTime
2008-02-11 18:26 . 2008-02-11 18:26 <DIR> d-------- C:\WINDOWS\system32\js
2008-02-11 18:26 . 2008-02-11 18:26 <DIR> d-------- C:\WINDOWS\system32\images
2008-02-11 18:26 . 2008-02-11 18:26 <DIR> d-------- C:\WINDOWS\system32\html
2008-02-11 18:26 . 2008-02-11 18:26 <DIR> d-------- C:\WINDOWS\system32\css
2008-02-11 18:26 . 2008-02-11 18:26 <DIR> d-------- C:\Program Files\Business Objects
2008-02-11 18:10 . 2008-02-11 18:10 <DIR> d-------- C:\Program Files\Microsoft Device Emulator
2008-02-11 18:09 . 2008-02-11 18:09 <DIR> d-------- C:\Program Files\Windows Mobile 5.0 SDK R2
2008-02-11 18:08 . 2008-02-11 18:08 <DIR> d-------- C:\Program Files\Microsoft Synchronization Services
2008-02-11 18:08 . 2008-02-11 18:08 <DIR> d-------- C:\Program Files\Microsoft SQL Server Compact Edition
2008-02-11 17:51 . 2008-02-11 18:26 <DIR> d-------- C:\Program Files\Microsoft Visual Studio 9.0
2008-02-11 17:51 . 2008-02-11 17:51 <DIR> d-------- C:\Program Files\Microsoft SDKs
2008-02-11 17:50 . 2008-02-11 17:50 <DIR> d-------- C:\Program Files\Microsoft Web Designer Tools
2008-02-11 17:47 . 2008-02-11 17:47 <DIR> d-------- C:\WINDOWS\system32\XPSViewer
2008-02-11 17:47 . 2008-02-11 17:47 <DIR> d-------- C:\Program Files\Reference Assemblies
2008-02-11 17:47 . 2006-06-29 13:07 14,048 --------- C:\WINDOWS\system32\spmsg2.dll
2008-02-11 17:46 . 2008-02-11 17:46 <DIR> d-------- C:\Program Files\MSXML 6.0
2008-02-07 23:56 . 2008-02-07 23:57 <DIR> d-------- C:\xampp
2008-02-07 23:42 . 2008-02-07 23:43 30,565,644 --a------ C:\xampp-win32-1.6.6-RC2.7z
2008-02-06 11:10 . 2008-02-11 02:19 <DIR> d-------- C:\temp\htdocs
2008-02-06 10:35 . 2008-02-10 19:06 228,285 --a------ C:\temp\mxEAL.zip
2008-02-02 19:19 . 2008-02-02 19:19 896,535 --a------ C:\temp\e107bb_v3.0.0.zip
2008-02-02 09:08 . 2008-02-02 09:08 <DIR> d-------- C:\Documents and Settings\Joakim\Contacts
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-20 01:00 --------- d-----w C:\Documents and Settings\NetworkService\Application Data\VMware
2008-02-20 01:00 --------- d-----w C:\Documents and Settings\Joakim\Application Data\VMware
2008-02-20 01:00 --------- d-----w C:\Documents and Settings\All Users\Application Data\VMware
2008-02-19 23:57 --------- d-----w C:\Program Files\SpywareGuard
2008-02-18 14:03 --------- d-----w C:\Documents and Settings\Joakim\Application Data\Skype
2008-02-17 23:50 --------- d-----w C:\Program Files\SpywareBlaster
2008-02-17 23:36 --------- d-----w C:\Program Files\SpeedFan
2008-02-17 22:27 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-02-17 22:19 --------- d-----w C:\Program Files\Java
2008-02-17 20:01 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-02-17 17:54 --------- d-----w C:\Program Files\Lavasoft
2008-02-16 23:46 --------- d-----w C:\Documents and Settings\LocalService\Application Data\VMware
2008-02-16 21:49 --------- d-----w C:\Documents and Settings\Joakim\Application Data\uTorrent
2008-02-16 20:50 --------- d-----w C:\Program Files\Windows Desktop Search
2008-02-14 23:04 --------- d-----w C:\Program Files\WYSIWYG Web Builder 4.0
2008-02-14 21:29 --------- d-----w C:\Documents and Settings\Joakim\Application Data\Lavasoft
2008-02-14 11:41 --------- d-----w C:\Program Files\Exontrol
2008-02-14 11:29 --------- d-----w C:\Program Files\EXECryptor
2008-02-12 23:23 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-02-12 09:16 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-02-11 17:37 --------- d-----w C:\Program Files\MSDN
2008-02-11 17:24 --------- d-----w C:\Program Files\Microsoft SQL Server
2008-02-11 17:21 --------- d-----w C:\Program Files\Microsoft.NET
2008-02-11 16:58 --------- d-----w C:\Program Files\Common Files\Merge Modules
2008-02-11 16:53 --------- d-----w C:\Program Files\MSBuild
2008-02-10 23:43 --------- d-----w C:\Program Files\FlashFXP
2008-02-01 20:16 --------- d-----w C:\Program Files\TortoiseCVS
2008-01-23 15:27 737,280 ----a-w C:\WINDOWS\iun6002.exe
2008-01-10 19:29 --------- d-----w C:\Documents and Settings\Joakim\Application Data\vlc
2008-01-04 22:28 --------- d-----w C:\Documents and Settings\Joakim\Application Data\VanDyke
2008-01-03 22:10 --------- d-----w C:\Program Files\Skype
2008-01-01 22:02 --------- d-----w C:\Program Files\TortoiseSVN
2007-12-24 01:22 --------- d-----w C:\Documents and Settings\Joakim\Application Data\phpDesigner 2008
2007-12-24 01:15 --------- d-----w C:\Program Files\phpDesigner 2008
2007-05-01 15:12 79,245 ----a-w C:\Documents and Settings\Joakim\Application Data\unins000.dat
2007-05-01 15:11 683,801 ----a-w C:\Documents and Settings\Joakim\Application Data\unins000.exe
2007-08-26 00:41 23 --sha-w C:\WINDOWS\system32\abbdadee_r.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\1TortoiseSVN]
@={30351346-7B7D-4FCC-81B4-1E394CA267EB}
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\2TortoiseSVN]
@={30351347-7B7D-4FCC-81B4-1E394CA267EB}
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\3TortoiseSVN]
@={30351348-7B7D-4FCC-81B4-1E394CA267EB}
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\4TortoiseSVN]
@={3035134B-7B7D-4FCC-81B4-1E394CA267EB}
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\5TortoiseSVN]
@={3035134C-7B7D-4FCC-81B4-1E394CA267EB}
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\6TortoiseSVN]
@={3035134D-7B7D-4FCC-81B4-1E394CA267EB}
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\7TortoiseSVN]
@={3035134E-7B7D-4FCC-81B4-1E394CA267EB}
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\TortoiseCVS0]
@={5d1cb710-1c4b-11d4-bed5-005004b1f42f}
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\TortoiseCVS1]
@={5d1cb711-1c4b-11d4-bed5-005004b1f42f}
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\TortoiseCVS2]
@={5d1cb712-1c4b-11d4-bed5-005004b1f42f}
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\TortoiseCVS3]
@={5d1cb713-1c4b-11d4-bed5-005004b1f42f}
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\TortoiseCVS4]
@={5d1cb714-1c4b-11d4-bed5-005004b1f42f}
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\TortoiseCVS5]
@={5d1cb715-1c4b-11d4-bed5-005004b1f42f}
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\TortoiseCVS6]
@={5d1cb716-1c4b-11d4-bed5-005004b1f42f}
[HKEY_CLASSES_ROOT\CLSID\{30351346-7B7D-4FCC-81B4-1E394CA267EB}]
2007-12-21 21:53 536576 --a------ C:\Program Files\TortoiseSVN\bin\tortoisesvn.dll
[HKEY_CLASSES_ROOT\CLSID\{30351347-7B7D-4FCC-81B4-1E394CA267EB}]
2007-12-21 21:53 536576 --a------ C:\Program Files\TortoiseSVN\bin\tortoisesvn.dll
[HKEY_CLASSES_ROOT\CLSID\{30351348-7B7D-4FCC-81B4-1E394CA267EB}]
2007-12-21 21:53 536576 --a------ C:\Program Files\TortoiseSVN\bin\tortoisesvn.dll
[HKEY_CLASSES_ROOT\CLSID\{3035134B-7B7D-4FCC-81B4-1E394CA267EB}]
2007-12-21 21:53 536576 --a------ C:\Program Files\TortoiseSVN\bin\tortoisesvn.dll
[HKEY_CLASSES_ROOT\CLSID\{3035134C-7B7D-4FCC-81B4-1E394CA267EB}]
2007-12-21 21:53 536576 --a------ C:\Program Files\TortoiseSVN\bin\tortoisesvn.dll
[HKEY_CLASSES_ROOT\CLSID\{3035134D-7B7D-4FCC-81B4-1E394CA267EB}]
2007-12-21 21:53 536576 --a------ C:\Program Files\TortoiseSVN\bin\tortoisesvn.dll
[HKEY_CLASSES_ROOT\CLSID\{3035134E-7B7D-4FCC-81B4-1E394CA267EB}]
2007-12-21 21:53 536576 --a------ C:\Program Files\TortoiseSVN\bin\tortoisesvn.dll
[HKEY_CLASSES_ROOT\CLSID\{5d1cb710-1c4b-11d4-bed5-005004b1f42f}]
2007-12-02 22:00 1421312 --a------ C:\Program Files\TortoiseCVS\TortoiseShell.dll
[HKEY_CLASSES_ROOT\CLSID\{5d1cb711-1c4b-11d4-bed5-005004b1f42f}]
2007-12-02 22:00 1421312 --a------ C:\Program Files\TortoiseCVS\TortoiseShell.dll
[HKEY_CLASSES_ROOT\CLSID\{5d1cb712-1c4b-11d4-bed5-005004b1f42f}]
2007-12-02 22:00 1421312 --a------ C:\Program Files\TortoiseCVS\TortoiseShell.dll
[HKEY_CLASSES_ROOT\CLSID\{5d1cb713-1c4b-11d4-bed5-005004b1f42f}]
2007-12-02 22:00 1421312 --a------ C:\Program Files\TortoiseCVS\TortoiseShell.dll
[HKEY_CLASSES_ROOT\CLSID\{5d1cb714-1c4b-11d4-bed5-005004b1f42f}]
2007-12-02 22:00 1421312 --a------ C:\Program Files\TortoiseCVS\TortoiseShell.dll
[HKEY_CLASSES_ROOT\CLSID\{5d1cb715-1c4b-11d4-bed5-005004b1f42f}]
2007-12-02 22:00 1421312 --a------ C:\Program Files\TortoiseCVS\TortoiseShell.dll
[HKEY_CLASSES_ROOT\CLSID\{5d1cb716-1c4b-11d4-bed5-005004b1f42f}]
2007-12-02 22:00 1421312 --a------ C:\Program Files\TortoiseCVS\TortoiseShell.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2008-02-12 11:18 1679729]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:50 155648]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-12-04 14:00 79224]
"SoundMAXPnP"="C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe" [2003-05-29 16:28 790528]
"vmware-tray"="C:\Program Files\VMware\VMware Workstation\vmware-tray.exe" [2007-05-01 21:52 68400]
"VMware hqtray"="C:\Program Files\VMware\VMware Workstation\hqtray.exe" [2007-05-01 21:52 56112]
C:\Documents and Settings\Joakim\Start Menu\Programs\Startup\
SpeedFan.lnk.disabled [2006-03-04 16:49:13 682]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Acrobat Assistant.lnk.disabled [2006-02-03 00:05:49 1824]
Dispatcher.lnk.disabled [2006-04-05 16:01:09 856]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 setuid
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"SoundMAX"="C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
"VMware hqtray"="C:\Program Files\VMware\VMware Workstation\hqtray.exe"
"vmware-tray"=C:\Program Files\VMware\VMware Workstation\vmware-tray.exe
R0 hotcore3;hotcore3;C:\WINDOWS\system32\drivers\hotcore3.sys [2007-03-07 12:27]
R2 SQLWriter;SQL Server VSS Writer;"c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe" [2007-02-10 05:29]
R2 tcaicchg;tcaicchg;C:\WINDOWS\System32\tcaicchg.sys [2000-06-06 11:08]
R2 TCAITDI;TCAITDI Protocol;C:\WINDOWS\system32\DRIVERS\TCAITDI.sys [2001-09-04 04:22]
R2 vstor2-ws60;Vstor2 WS60 Virtual Storage Driver;C:\Program Files\VMware\VMware Workstation\vstor2-ws60.sys [2007-04-09 12:55]
R3 vmkbd;VMware kbd;C:\WINDOWS\system32\drivers\VMkbd.sys [2007-05-01 21:52]
S3 GTwinUSB;GTwinUSB;C:\WINDOWS\system32\Drivers\GTwinUSB.sys [2002-10-04 11:21]
S3 LCcfltr;Logitech USB Filter Driver;C:\WINDOWS\system32\Drivers\LCcFltr.Sys [2004-03-03 08:50]
S3 NPF;NetGroup Packet Filter Driver;C:\WINDOWS\system32\drivers\npf.sys [2005-08-02 22:10]
S3 ufad-ws60;VMware Agent Service;"C:\Program Files\VMware\VMware Workstation\vmware-ufad.exe" -d "C:\Program Files\VMware\VMware Workstation\\" []
S3 VSPerfDrv90;Performance Tools Driver 9.0;C:\Program Files\Microsoft Visual Studio 9.0\Team Tools\Performance Tools\VSPerfDrv90.sys [2007-09-04 16:53]
S4 msvsmon80;Visual Studio 2005 Remote Debugger;"C:\Program Files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe" [2006-12-02 05:17]
S4 msvsmon90;Visual Studio 2008 Remote Debugger;"C:\Program Files\Microsoft Visual Studio 9.0\Common7\IDE\Remote Debugger\x86\msvsmon.exe" [2007-11-07 08:58]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
\Shell\AutoRun\command - D:\autorun.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
\Shell\AutoRun\command - E:\Launcher.exe
.
Contents of the 'Scheduled Tasks' folder
"2008-02-17 15:06:35 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-02-17 15:06:24 C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job"
- C:\Program Files\Windows Live Toolbar\MSNTBUP.EXE
.
**************************************************************************
catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-20 02:00:12
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\System32\SCardSvr.exe
C:\Program Files\TortoiseSVN\bin\TSVNCache.exe
C:\Program Files\Paradigma Software\Bonjour\mDNSResponder.exe
C:\Program Files\CVSNT\cvslock.exe
C:\Program Files\CVSNT\cvsservice.exe
c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\VMware\VMware Workstation\vmware-authd.exe
C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
C:\WINDOWS\system32\vmnat.exe
C:\WINDOWS\system32\vmnetdhcp.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
.
**************************************************************************
.
Completion time: 2008-02-20 2:08:06 - machine was rebooted
ComboFix2.txt 2008-02-18 02:21:47
.
2008-02-12 23:25:53 --- E O F ---
ComboFix 08-02-20.2 - Joakim 2008-02-22 4:11:00.8 - NTFSx86 NETWORK
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1593 [GMT 1:00]
Running from: C:\Documents and Settings\Joakim\Desktop\ComboFix.exe
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\WINDOWS\system32\drivers\down
.
((((((((((((((((((((((((( Files Created from 2008-01-22 to 2008-02-22 )))))))))))))))))))))))))))))))
.
2008-02-22 03:53 . 2008-02-22 03:53 <DIR> d-------- C:\WINDOWS\LastGood
2008-02-22 03:40 . 2008-02-22 03:40 <DIR> d-------- C:\Program Files\ATI Technologies
2008-02-22 03:21 . 2006-02-28 13:00 18,944 --a------ C:\WINDOWS\system32\simptcp.dll
2008-02-22 03:18 . 2008-02-22 03:18 <DIR> d-------- C:\WINDOWS\LastGood.Tmp
2008-02-22 00:32 . 2008-02-22 00:32 <DIR> d-------- C:\Documents and Settings\Joakim\DoctorWeb
2008-02-21 20:40 . 2008-02-21 20:41 <DIR> d-------- C:\getservice
2008-02-21 19:38 . 2008-02-21 19:38 <DIR> d-------- C:\ATI
2008-02-21 01:03 . 2008-02-21 01:03 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-02-21 01:03 . 2008-02-21 01:03 <DIR> d-------- C:\Documents and Settings\Joakim\Application Data\Malwarebytes
2008-02-21 01:03 . 2008-02-21 01:03 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-02-20 14:32 . 2008-02-20 14:32 <DIR> d-------- C:\VundoFix Backups
2008-02-19 23:37 . 2008-02-21 08:19 250 --a------ C:\WINDOWS\gmer.ini
2008-02-18 14:02 . 2008-02-18 14:02 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-02-18 14:02 . 2008-02-18 14:02 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-02-18 10:44 . 2008-02-18 10:44 <DIR> d-------- C:\Program Files\Trend Micro
2008-02-18 10:39 . 2008-02-18 10:39 812,344 --a------ C:\temp\HJTInstall.exe
2008-02-18 00:53 . 2008-02-18 00:53 2,062,665 --a------ C:\temp\spywareguardsetup.exe
2008-02-18 00:42 . 2008-02-18 00:43 2,566,736 --a------ C:\temp\spywareblastersetup351.exe
2008-02-17 23:14 . 2008-02-17 23:13 15,852,952 --a------ C:\temp\jre-6u4-windows-i586-p.exe.exe
2008-02-17 21:53 . 2008-02-17 21:53 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-02-17 21:53 . 2008-02-17 21:54 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-02-17 21:02 . 2002-09-20 10:53 235,100 --a------ C:\WINDOWS\system32\drivers\MidiSyn.sys
2008-02-17 21:01 . 2008-02-17 21:01 <DIR> d-------- C:\WINDOWS\VirtualEar
2008-02-17 21:01 . 2008-02-17 21:01 <DIR> d-------- C:\Program Files\Analog Devices
2008-02-17 21:01 . 2001-09-11 15:20 1,285,632 --a------ C:\WINDOWS\system32\SMMedia.dll
2008-02-17 21:01 . 2001-09-19 13:47 765,952 --a------ C:\WINDOWS\system\crlds3d.dll
2008-02-17 21:01 . 2001-09-19 13:47 720,896 --a------ C:\WINDOWS\system32\Audio3d.dll
2008-02-17 21:01 . 2003-06-02 13:42 578,304 --a------ C:\WINDOWS\system32\drivers\smwdm.sys
2008-02-17 21:01 . 2003-03-13 18:34 100,224 --a------ C:\WINDOWS\system32\drivers\aeaudio.sys
2008-02-17 21:01 . 2003-01-08 11:23 49,152 --a------ C:\WINDOWS\system32\DSndUp.exe
2008-02-17 21:01 . 2002-04-17 15:05 45,056 --a------ C:\WINDOWS\system32\CleanUp.exe
2008-02-17 21:01 . 2001-09-11 15:20 30,208 --a------ C:\WINDOWS\system32\wdmioctl.dll
2008-02-17 21:01 . 2003-03-13 15:40 3,744 --a------ C:\WINDOWS\system32\drivers\smsens.sys
2008-02-17 20:34 . 2008-02-18 23:21 <DIR> d-------- C:\temp\WinLicenseDemo
2008-02-17 18:53 . 2008-02-17 18:53 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-02-17 16:44 . 2007-12-04 14:04 837,496 --a------ C:\WINDOWS\system32\aswBoot.exe
2008-02-17 16:44 . 2007-12-04 13:54 95,608 --a------ C:\WINDOWS\system32\AvastSS.scr
2008-02-17 16:44 . 2007-12-04 15:55 94,544 --a------ C:\WINDOWS\system32\drivers\aswmon2.sys
2008-02-17 16:44 . 2007-12-04 15:56 93,264 --a------ C:\WINDOWS\system32\drivers\aswmon.sys
2008-02-17 16:44 . 2007-12-04 15:51 42,912 --a------ C:\WINDOWS\system32\drivers\aswTdi.sys
2008-02-17 16:44 . 2007-12-04 15:49 26,624 --a------ C:\WINDOWS\system32\drivers\aavmker4.sys
2008-02-17 16:44 . 2007-12-04 15:53 23,152 --a------ C:\WINDOWS\system32\drivers\aswRdr.sys
2008-02-17 13:35 . 2008-02-17 13:35 55 --a------ C:\WINDOWS\regrunfix.rnr
2008-02-17 03:58 . C:\WINDOWS\(2) C:\ComboFix\winstart.bat
2008-02-16 23:10 . 2008-02-16 23:12 <DIR> d-------- C:\Documents and Settings\Joakim\Application Data\PrevxCSI
2008-02-16 09:09 . 2008-02-16 21:37 <DIR> d-------- C:\WINDOWS\BDOSCAN8
2008-02-15 16:31 . 2008-02-17 14:18 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2008-02-15 16:30 . 2008-02-15 22:55 <DIR> d-------- C:\Documents and Settings\Joakim\.housecall6.6
2008-02-15 15:20 . 2008-02-17 22:57 <DIR> d-------- C:\Program Files\Trojan Remover
2008-02-15 15:20 . 2008-02-15 15:20 <DIR> d-------- C:\Documents and Settings\Joakim\Application Data\Simply Super Software
2008-02-15 15:20 . 2008-02-15 15:20 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Simply Super Software
2008-02-15 15:20 . 2006-05-25 14:52 162,304 --a------ C:\WINDOWS\system32\ztvunrar36.dll
2008-02-15 15:20 . 2003-02-02 19:06 153,088 --a------ C:\WINDOWS\system32\UNRAR3.dll
2008-02-15 15:20 . 2005-08-26 00:50 77,312 --a------ C:\WINDOWS\system32\ztvunace26.dll
2008-02-15 15:20 . 2002-03-06 00:00 75,264 --a------ C:\WINDOWS\system32\unacev2.dll
2008-02-15 15:20 . 2006-06-19 12:01 69,632 --a------ C:\WINDOWS\system32\ztvcabinet.dll
2008-02-15 00:12 . 2008-02-15 00:11 407,680 --a------ C:\temp\aswclnr.exe
2008-02-14 22:43 . 2008-02-17 15:49 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-02-14 22:27 . 2008-02-14 22:38 21,364,592 --a------ C:\temp\aaw2007.exe
2008-02-14 22:22 . 2008-02-14 22:22 17,255,626 --a------ C:\temp\WinLicenseDemo.zip
2008-02-14 12:41 . 2008-02-14 12:41 499,712 --a------ C:\WINDOWS\system32\ExSlider.dll
2008-02-14 12:41 . 2008-02-14 12:41 203,488 --a------ C:\WINDOWS\system32\ExSlider.chm
2008-02-14 12:40 . 2008-02-14 12:40 573,440 --a------ C:\WINDOWS\system32\ExStatusBar.dll
2008-02-14 12:40 . 2008-02-14 12:40 436,674 --a------ C:\WINDOWS\system32\ExStatusBar.chm
2008-02-14 12:39 . 2008-02-14 12:39 434,176 --a------ C:\WINDOWS\system32\ExThumbnail.dll
2008-02-14 12:34 . 2008-02-14 12:34 331,776 --a------ C:\WINDOWS\system32\ExTexture.dll
2008-02-14 12:34 . 2008-02-14 12:34 102,224 --a------ C:\WINDOWS\system32\ExTexture.chm
2008-02-14 12:31 . 2008-02-14 12:31 172,032 --a------ C:\WINDOWS\system32\MaskEdit.dll
2008-02-14 12:31 . 2008-02-14 12:31 53,672 --a------ C:\WINDOWS\system32\MaskEdit.chm
2008-02-14 12:28 . 2008-02-14 12:28 <DIR> d-------- C:\Program Files\Copy of EXECryptor
2008-02-13 14:50 . 2008-02-13 14:50 389,120 --a------ C:\WINDOWS\system32\ExCalc.dll
2008-02-13 14:50 . 2008-02-13 14:50 84,478 --a------ C:\WINDOWS\system32\ExCalc.chm
2008-02-13 14:42 . 2008-02-13 14:42 479,232 --a------ C:\WINDOWS\system32\ExRolList.dll
2008-02-13 14:42 . 2008-02-13 14:42 210,902 --a------ C:\WINDOWS\system32\ExRolList.CHM
2008-02-13 14:03 . 2008-02-13 14:03 225,280 --a------ C:\WINDOWS\system32\ExShellView.dll
2008-02-13 14:03 . 2008-02-13 14:03 83,770 --a------ C:\WINDOWS\system32\ExShellView.chm
2008-02-13 13:58 . 2008-02-13 13:58 397,312 --a------ C:\WINDOWS\system32\ExFolderView.dll
2008-02-13 13:58 . 2008-02-13 13:58 117,644 --a------ C:\WINDOWS\system32\ExFolderView.chm
2008-02-13 13:52 . 2008-02-13 14:09 286,720 --a------ C:\WINDOWS\system32\ExToolTip.dll
2008-02-13 13:52 . 2008-02-13 14:09 119,264 --a------ C:\WINDOWS\system32\ExToolTip.chm
2008-02-13 13:34 . 2008-02-13 13:34 438,272 --a------ C:\WINDOWS\system32\ExLabel.dll
2008-02-13 13:34 . 2008-02-13 13:34 152,774 --a------ C:\WINDOWS\system32\ExLabel.chm
2008-02-12 20:09 . 2008-02-12 20:09 1,995,825 --a------ C:\WINDOWS\system32\ExGantt.chm
2008-02-12 20:09 . 2008-02-12 20:09 1,486,848 --a------ C:\WINDOWS\system32\ExGantt.dll
2008-02-12 20:05 . 2008-02-12 20:05 634,880 --a------ C:\WINDOWS\system32\ExCalendar.dll
2008-02-12 20:05 . 2008-02-12 20:05 460,734 --a------ C:\WINDOWS\system32\ExCalendar.chm
2008-02-12 19:56 . 2008-02-12 19:56 2,680,120 --a------ C:\WINDOWS\system32\ExG2antt.chm
2008-02-12 19:56 . 2008-02-12 19:56 1,933,312 --a------ C:\WINDOWS\system32\ExG2antt.dll
2008-02-12 10:16 . 2008-02-12 10:16 <DIR> d-------- C:\Program Files\QuickTime
2008-02-11 18:26 . 2008-02-11 18:26 <DIR> d-------- C:\WINDOWS\system32\js
2008-02-11 18:26 . 2008-02-11 18:26 <DIR> d-------- C:\WINDOWS\system32\images
2008-02-11 18:26 . 2008-02-11 18:26 <DIR> d-------- C:\WINDOWS\system32\html
2008-02-11 18:26 . 2008-02-11 18:26 <DIR> d-------- C:\WINDOWS\system32\css
2008-02-11 18:26 . 2008-02-11 18:26 <DIR> d-------- C:\Program Files\Business Objects
2008-02-11 18:10 . 2008-02-11 18:10 <DIR> d-------- C:\Program Files\Microsoft Device Emulator
2008-02-11 18:09 . 2008-02-11 18:09 <DIR> d-------- C:\Program Files\Windows Mobile 5.0 SDK R2
2008-02-11 18:08 . 2008-02-11 18:08 <DIR> d-------- C:\Program Files\Microsoft Synchronization Services
2008-02-11 18:08 . 2008-02-11 18:08 <DIR> d-------- C:\Program Files\Microsoft SQL Server Compact Edition
2008-02-11 17:51 . 2008-02-11 18:26 <DIR> d-------- C:\Program Files\Microsoft Visual Studio 9.0
2008-02-11 17:51 . 2008-02-11 17:51 <DIR> d-------- C:\Program Files\Microsoft SDKs
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-22 03:09 --------- d-----w C:\Documents and Settings\Joakim\Application Data\VMware
2008-02-20 01:00 --------- d-----w C:\Documents and Settings\NetworkService\Application Data\VMware
2008-02-20 01:00 --------- d-----w C:\Documents and Settings\All Users\Application Data\VMware
2008-02-19 23:57 --------- d-----w C:\Program Files\SpywareGuard
2008-02-18 14:03 --------- d-----w C:\Documents and Settings\Joakim\Application Data\Skype
2008-02-17 23:50 --------- d-----w C:\Program Files\SpywareBlaster
2008-02-17 23:36 --------- d-----w C:\Program Files\SpeedFan
2008-02-17 22:27 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-02-17 22:19 --------- d-----w C:\Program Files\Java
2008-02-17 20:01 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-02-17 17:54 --------- d-----w C:\Program Files\Lavasoft
2008-02-16 23:46 --------- d-----w C:\Documents and Settings\LocalService\Application Data\VMware
2008-02-16 21:49 --------- d-----w C:\Documents and Settings\Joakim\Application Data\uTorrent
2008-02-16 20:50 --------- d-----w C:\Program Files\Windows Desktop Search
2008-02-14 23:04 --------- d-----w C:\Program Files\WYSIWYG Web Builder 4.0
2008-02-14 21:29 --------- d-----w C:\Documents and Settings\Joakim\Application Data\Lavasoft
2008-02-14 11:41 --------- d-----w C:\Program Files\Exontrol
2008-02-14 11:29 --------- d-----w C:\Program Files\EXECryptor
2008-02-12 23:23 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-02-12 09:16 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-02-11 17:37 --------- d-----w C:\Program Files\MSDN
2008-02-11 17:24 --------- d-----w C:\Program Files\Microsoft SQL Server
2008-02-11 17:21 --------- d-----w C:\Program Files\Microsoft.NET
2008-02-11 16:58 --------- d-----w C:\Program Files\Common Files\Merge Modules
2008-02-11 16:53 --------- d-----w C:\Program Files\MSBuild
2008-02-10 23:43 --------- d-----w C:\Program Files\FlashFXP
2008-02-01 20:16 --------- d-----w C:\Program Files\TortoiseCVS
2008-01-23 15:27 737,280 ----a-w C:\WINDOWS\iun6002.exe
2008-01-10 19:29 --------- d-----w C:\Documents and Settings\Joakim\Application Data\vlc
2008-01-04 22:28 --------- d-----w C:\Documents and Settings\Joakim\Application Data\VanDyke
2008-01-03 22:10 --------- d-----w C:\Program Files\Skype
2008-01-01 22:02 --------- d-----w C:\Program Files\TortoiseSVN
2007-12-24 01:22 --------- d-----w C:\Documents and Settings\Joakim\Application Data\phpDesigner 2008
2007-12-24 01:15 --------- d-----w C:\Program Files\phpDesigner 2008
2007-05-01 15:12 79,245 ----a-w C:\Documents and Settings\Joakim\Application Data\unins000.dat
2007-05-01 15:11 683,801 ----a-w C:\Documents and Settings\Joakim\Application Data\unins000.exe
2007-08-26 00:41 23 --sha-w C:\WINDOWS\system32\abbdadee_r.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\1TortoiseSVN]
@={30351346-7B7D-4FCC-81B4-1E394CA267EB}
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\2TortoiseSVN]
@={30351347-7B7D-4FCC-81B4-1E394CA267EB}
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\3TortoiseSVN]
@={30351348-7B7D-4FCC-81B4-1E394CA267EB}
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\4TortoiseSVN]
@={3035134B-7B7D-4FCC-81B4-1E394CA267EB}
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\5TortoiseSVN]
@={3035134C-7B7D-4FCC-81B4-1E394CA267EB}
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\6TortoiseSVN]
@={3035134D-7B7D-4FCC-81B4-1E394CA267EB}
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\7TortoiseSVN]
@={3035134E-7B7D-4FCC-81B4-1E394CA267EB}
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\TortoiseCVS0]
@={5d1cb710-1c4b-11d4-bed5-005004b1f42f}
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\TortoiseCVS1]
@={5d1cb711-1c4b-11d4-bed5-005004b1f42f}
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\TortoiseCVS2]
@={5d1cb712-1c4b-11d4-bed5-005004b1f42f}
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\TortoiseCVS3]
@={5d1cb713-1c4b-11d4-bed5-005004b1f42f}
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\TortoiseCVS4]
@={5d1cb714-1c4b-11d4-bed5-005004b1f42f}
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\TortoiseCVS5]
@={5d1cb715-1c4b-11d4-bed5-005004b1f42f}
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\TortoiseCVS6]
@={5d1cb716-1c4b-11d4-bed5-005004b1f42f}
[HKEY_CLASSES_ROOT\CLSID\{30351346-7B7D-4FCC-81B4-1E394CA267EB}]
2007-12-21 21:53 536576 --a------ C:\Program Files\TortoiseSVN\bin\tortoisesvn.dll
[HKEY_CLASSES_ROOT\CLSID\{30351347-7B7D-4FCC-81B4-1E394CA267EB}]
2007-12-21 21:53 536576 --a------ C:\Program Files\TortoiseSVN\bin\tortoisesvn.dll
[HKEY_CLASSES_ROOT\CLSID\{30351348-7B7D-4FCC-81B4-1E394CA267EB}]
2007-12-21 21:53 536576 --a------ C:\Program Files\TortoiseSVN\bin\tortoisesvn.dll
[HKEY_CLASSES_ROOT\CLSID\{3035134B-7B7D-4FCC-81B4-1E394CA267EB}]
2007-12-21 21:53 536576 --a------ C:\Program Files\TortoiseSVN\bin\tortoisesvn.dll
[HKEY_CLASSES_ROOT\CLSID\{3035134C-7B7D-4FCC-81B4-1E394CA267EB}]
2007-12-21 21:53 536576 --a------ C:\Program Files\TortoiseSVN\bin\tortoisesvn.dll
[HKEY_CLASSES_ROOT\CLSID\{3035134D-7B7D-4FCC-81B4-1E394CA267EB}]
2007-12-21 21:53 536576 --a------ C:\Program Files\TortoiseSVN\bin\tortoisesvn.dll
[HKEY_CLASSES_ROOT\CLSID\{3035134E-7B7D-4FCC-81B4-1E394CA267EB}]
2007-12-21 21:53 536576 --a------ C:\Program Files\TortoiseSVN\bin\tortoisesvn.dll
[HKEY_CLASSES_ROOT\CLSID\{5d1cb710-1c4b-11d4-bed5-005004b1f42f}]
2007-12-02 22:00 1421312 --a------ C:\Program Files\TortoiseCVS\TortoiseShell.dll
[HKEY_CLASSES_ROOT\CLSID\{5d1cb711-1c4b-11d4-bed5-005004b1f42f}]
2007-12-02 22:00 1421312 --a------ C:\Program Files\TortoiseCVS\TortoiseShell.dll
[HKEY_CLASSES_ROOT\CLSID\{5d1cb712-1c4b-11d4-bed5-005004b1f42f}]
2007-12-02 22:00 1421312 --a------ C:\Program Files\TortoiseCVS\TortoiseShell.dll
[HKEY_CLASSES_ROOT\CLSID\{5d1cb713-1c4b-11d4-bed5-005004b1f42f}]
2007-12-02 22:00 1421312 --a------ C:\Program Files\TortoiseCVS\TortoiseShell.dll
[HKEY_CLASSES_ROOT\CLSID\{5d1cb714-1c4b-11d4-bed5-005004b1f42f}]
2007-12-02 22:00 1421312 --a------ C:\Program Files\TortoiseCVS\TortoiseShell.dll
[HKEY_CLASSES_ROOT\CLSID\{5d1cb715-1c4b-11d4-bed5-005004b1f42f}]
2007-12-02 22:00 1421312 --a------ C:\Program Files\TortoiseCVS\TortoiseShell.dll
[HKEY_CLASSES_ROOT\CLSID\{5d1cb716-1c4b-11d4-bed5-005004b1f42f}]
2007-12-02 22:00 1421312 --a------ C:\Program Files\TortoiseCVS\TortoiseShell.dll
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 08:56 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2008-02-12 11:18 1679729]
"SoundMAXPnP"="C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe" [2003-05-29 16:28 790528]
"vmware-tray"="C:\Program Files\VMware\VMware Workstation\vmware-tray.exe" [2007-05-01 21:52 68400]
"VMware hqtray"="C:\Program Files\VMware\VMware Workstation\hqtray.exe" [2007-05-01 21:52 56112]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:50 155648]
C:\Documents and Settings\Joakim\Start Menu\Programs\Startup\
SpeedFan.lnk.disabled [2006-03-04 16:49:13 682]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Acrobat Assistant.lnk.disabled [2006-02-03 00:05:49 1824]
Dispatcher.lnk.disabled [2006-04-05 16:01:09 856]
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 setuid
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"ATI Smart"=2 (0x2)
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"SoundMAX"="C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
"VMware hqtray"="C:\Program Files\VMware\VMware Workstation\hqtray.exe"
"vmware-tray"=C:\Program Files\VMware\VMware Workstation\vmware-tray.exe
"ATIPTA"=C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
R0 hotcore3;hotcore3;C:\WINDOWS\system32\drivers\hotcore3.sys [2007-03-07 12:27]
R3 vmkbd;VMware kbd;C:\WINDOWS\system32\drivers\VMkbd.sys [2007-05-01 21:52]
S2 SQLWriter;SQL Server VSS Writer;"c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe" [2007-02-10 05:29]
S2 tcaicchg;tcaicchg;C:\WINDOWS\System32\tcaicchg.sys [2000-06-06 11:08]
S2 TCAITDI;TCAITDI Protocol;C:\WINDOWS\system32\DRIVERS\TCAITDI.sys [2001-09-04 04:22]
S2 vstor2-ws60;Vstor2 WS60 Virtual Storage Driver;C:\Program Files\VMware\VMware Workstation\vstor2-ws60.sys [2007-04-09 12:55]
S3 ATICDSDr;ATICDSDr;C:\DOCUME~1\Joakim\LOCALS~1\Temp\ATICDSDr.sys []
S3 GTwinUSB;GTwinUSB;C:\WINDOWS\system32\Drivers\GTwinUSB.sys [2002-10-04 11:21]
S3 LCcfltr;Logitech USB Filter Driver;C:\WINDOWS\system32\Drivers\LCcFltr.Sys [2004-03-03 08:50]
S3 MBAMCatchMe;MBAMCatchMe;C:\Program Files\Malwarebytes' Anti-Malware\catchme.sys [2008-02-18 19:42]
S3 NPF;NetGroup Packet Filter Driver;C:\WINDOWS\system32\drivers\npf.sys [2005-08-02 22:10]
S3 VSPerfDrv90;Performance Tools Driver 9.0;C:\Program Files\Microsoft Visual Studio 9.0\Team Tools\Performance Tools\VSPerfDrv90.sys [2007-09-04 16:53]
S4 msvsmon80;Visual Studio 2005 Remote Debugger;"C:\Program Files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe" [2006-12-02 05:17]
S4 msvsmon90;Visual Studio 2008 Remote Debugger;"C:\Program Files\Microsoft Visual Studio 9.0\Common7\IDE\Remote Debugger\x86\msvsmon.exe" [2007-11-07 08:58]
S4 ufad-ws60;VMware Agent Service;"C:\Program Files\VMware\VMware Workstation\vmware-ufad.exe" -d "C:\Program Files\VMware\VMware Workstation\\" []
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
\Shell\AutoRun\command - D:\autorun.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
\Shell\AutoRun\command - E:\Launcher.exe
.
Contents of the 'Scheduled Tasks' folder
"2008-02-17 15:06:35 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-02-17 15:06:24 C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job"
- C:\Program Files\Windows Live Toolbar\MSNTBUP.EXE
.
**************************************************************************
catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-22 04:19:21
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\TortoiseSVN\bin\TSVNCache.exe
.
**************************************************************************
.
Completion time: 2008-02-22 4:26:54 - machine was rebooted
ComboFix2.txt 2008-02-21 21:57:46
ComboFix3.txt 2008-02-21 21:10:53
ComboFix4.txt 2008-02-20 01:08:07
ComboFix5.txt 2008-02-18 02:21:47
.
2008-02-12 23:25:53 --- E O F ---
I will now download a new copy of CF and try to run a scan with current situation. I have not noticed any renaming but it's possibly because my very first actions. The files in down dir have been there but as I also said before, I tried to fix this myself before I turned here for help but was only half successful. I also think 1 CF log was lost as the program seem to recycle them pushing the stack after 5 runs/backup. But I think I got rid of these files without seeing them coming back, before I turned here.
steamwiz
2008-02-24, 01:31
Hi
This infection hides it's reinfector in what appears to be a legitimate file with a legit run key, so that when you reboot it can reinfect ...
the first Combofix log shows this run key & the infected file is atiptaxx.exe
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2008-02-12 11:18 1679729]
The second Combofix log shows the atiptaxx.exe run key gas been moved to the run- & now the ashDisp.exe is the infecter ... note the date & size on both files ...
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2008-02-12 11:18 1679729]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"ATIPTA"=C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
-
ComboFix 08-02-20.2 - Joakim 2008-02-20 1:53:02.5 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1518 [GMT 1:00]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2008-02-12 11:18 1679729]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:50 155648]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-12-04 14:00 79224]
"SoundMAXPnP"="C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe" [2003-05-29 16:28 790528]
"vmware-tray"="C:\Program Files\VMware\VMware Workstation\vmware-tray.exe" [2007-05-01 21:52 68400]
"VMware hqtray"="C:\Program Files\VMware\VMware Workstation\hqtray.exe" [2007-05-01 21:52 56112]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"SoundMAX"="C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
"VMware hqtray"="C:\Program Files\VMware\VMware Workstation\hqtray.exe"
"vmware-tray"=C:\Program Files\VMware\VMware Workstation\vmware-tray.exe
-
ComboFix 08-02-20.2 - Joakim 2008-02-22 4:11:00.8 - NTFSx86 NETWORK
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1593 [GMT 1:00]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2008-02-12 11:18 1679729]
"SoundMAXPnP"="C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe" [2003-05-29 16:28 790528]
"vmware-tray"="C:\Program Files\VMware\VMware Workstation\vmware-tray.exe" [2007-05-01 21:52 68400]
"VMware hqtray"="C:\Program Files\VMware\VMware Workstation\hqtray.exe" [2007-05-01 21:52 56112]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:50 155648]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"SoundMAX"="C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
"VMware hqtray"="C:\Program Files\VMware\VMware Workstation\hqtray.exe"
"vmware-tray"=C:\Program Files\VMware\VMware Workstation\vmware-tray.exe
"ATIPTA"=C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
--------------
Another interesting thing is XP doesn't by default have a :-
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-] key
It uses different keys ...
--
I'm sending you another PM
steam
Then I was right in my suspision of the ati driver, although it was more intuition then technical analys :santa: and now it hits me I havenät seen the avast popper about updated deffinitions for a while :oops: but I have plugged the speakers into my notebook for some entertainment while wating for scans :red:
so it should basically be just to reinstall Avast to replace the file, unless it has moved to another hideout.
steamwiz
2008-02-24, 02:15
Then I was right in my suspision of the ati driver, although it was more intuition then technical analys :santa: and now it hits me I havenät seen the avast popper about updated deffinitions for a while :oops: but I have plugged the speakers into my notebook for some entertainment while wating for scans :red:
so it should basically be just to reinstall Avast to replace the file, unless it has moved to another hideout.
Well seeing as you stopped it pretty quickly in it's tracks, it probably never got to be a full blown infection, so it wont hurt to try that, remember it's when you reboot that it will jump to another file/runkey so try to do as much as possible without rebooting, then when you run another Combofix scan we can see what it says ...
My bedtime now ... don't forget the PM I just sent you, I'll catch up with you again tomorrow :)
steam
The :spider: is dead and I am out of the web :santa:, I will post back later today with details and CF logs etc. as there still is some clean up and system repair to do. Just thought to let you know and I think I deserve some sleep now.
So I am fine at the moment, pick someone in the end of the queue instead meanwhile, if you have time to spare.
Ok here are fresh CF and HJT logs, CF first and then HJT. Regrun also produced some interesting logs as well which you might be interested in looking at, including a boot log and others I think - but it's quite much data so maybe you don't want me to post it here?
ComboFix 08-02-24.4 - Joakim 2008-02-24 10:33:16.10 - NTFSx86 MINIMAL
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1592 [GMT 1:00]
Running from: C:\Documents and Settings\Joakim\Desktop\ComboFix.exe
* Created a new restore point
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((( Files Created from 2008-01-24 to 2008-02-24 )))))))))))))))))))))))))))))))
.
2008-02-24 04:34 . 2008-02-24 10:21 1,783,562,240 --a------ C:\LogFile.Etl
2008-02-23 15:40 . 2008-02-24 04:43 78 --a------ C:\WINDOWS\lsoon.ini
2008-02-23 15:22 . 2008-02-24 10:58 25,773 --a------ C:\WINDOWS\system32\drivers\regguard.sys
2008-02-23 15:18 . 2005-04-03 14:02 8,944 --a------ C:\WINDOWS\system32\drivers\UnHackMeDrv.sys
2008-02-23 15:08 . 2008-02-23 15:09 <DIR> d-------- C:\Documents and Settings\Joakim\Application Data\Regrun
2008-02-23 15:04 . 2008-02-23 15:04 30,946 --a------ C:\WINDOWS\system32\drivers\Partizan.sys
2008-02-23 15:04 . 2008-02-23 15:04 25,088 --a------ C:\WINDOWS\system32\Partizan.exe
2008-02-23 14:53 . 2008-02-24 03:36 <DIR> d-------- C:\regrunplat570
2008-02-23 14:53 . 2008-02-23 14:53 <DIR> d-------- C:\Program Files\Greatis
2008-02-23 14:53 . 2008-02-13 11:41 441,856 --a------ C:\WINDOWS\RunGuard.exe
2008-02-23 14:53 . 2003-09-06 15:55 57,556 --a------ C:\WINDOWS\guard.bmp
2008-02-23 14:53 . 2000-12-12 19:56 16,384 --a------ C:\WINDOWS\WinBait.org
2008-02-23 14:53 . 2000-12-12 19:56 16,384 --a------ C:\WINDOWS\WinBait.exe
2008-02-23 14:52 . 2008-02-23 14:52 11,266,935 --a------ C:\regrunplat570.zip
2008-02-23 12:46 . 2008-02-23 12:50 <DIR> d-------- C:\Program Files\Windows Live Safety Center
2008-02-23 03:22 . 2008-02-23 03:21 1,238,736 --a------ C:\MGtools.exe
2008-02-23 03:08 . 2008-02-23 03:08 <DIR> d-------- C:\Program Files\CCleaner
2008-02-23 02:57 . 2008-02-23 02:57 <DIR> d-------- C:\Program Files\ERUNT
2008-02-22 15:36 . 2008-02-22 15:36 791,393 --a------ C:\temp\erunt-setup.exe
2008-02-22 14:31 . 2008-02-22 17:28 <DIR> d-------- C:\Program Files\EsetOnlineScanner
2008-02-22 11:51 . 2008-02-22 11:55 <DIR> d-------- C:\WinLicense
2008-02-22 04:53 . 2008-02-22 04:53 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Simply Super Software
2008-02-22 04:48 . 2008-02-22 04:52 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\VMware
2008-02-22 04:42 . 2008-02-22 04:42 6,300,696 --a------ C:\temp\SUPERAntiSpywarePro.exe
2008-02-22 03:53 . 2008-02-23 12:46 <DIR> d-------- C:\WINDOWS\LastGood
2008-02-22 03:40 . 2008-02-22 03:40 <DIR> d-------- C:\Program Files\ATI Technologies
2008-02-22 03:21 . 2006-02-28 13:00 18,944 --a------ C:\WINDOWS\system32\simptcp.dll
2008-02-22 03:18 . 2008-02-22 03:18 <DIR> d-------- C:\WINDOWS\LastGood.Tmp
2008-02-22 00:32 . 2008-02-22 00:32 <DIR> d-------- C:\Documents and Settings\Joakim\DoctorWeb
2008-02-21 20:40 . 2008-02-21 20:41 <DIR> d-------- C:\getservice
2008-02-21 19:38 . 2008-02-21 19:38 <DIR> d-------- C:\ATI
2008-02-21 01:03 . 2008-02-21 01:03 <DIR> d-------- C:\Documents and Settings\Joakim\Application Data\Malwarebytes
2008-02-21 01:03 . 2008-02-21 01:03 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-02-20 14:32 . 2008-02-20 14:32 <DIR> d-------- C:\VundoFix Backups
2008-02-19 23:37 . 2008-02-21 08:19 250 --a------ C:\WINDOWS\gmer.ini
2008-02-18 14:02 . 2008-02-18 14:02 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-02-18 14:02 . 2008-02-18 14:02 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-02-18 10:44 . 2008-02-18 10:44 <DIR> d-------- C:\Program Files\Trend Micro
2008-02-18 10:39 . 2008-02-18 10:39 812,344 --a------ C:\temp\HJTInstall.exe
2008-02-18 00:53 . 2008-02-18 00:53 2,062,665 --a------ C:\temp\spywareguardsetup.exe
2008-02-18 00:42 . 2008-02-18 00:43 2,566,736 --a------ C:\temp\spywareblastersetup351.exe
2008-02-17 23:14 . 2008-02-17 23:13 15,852,952 --a------ C:\temp\jre-6u4-windows-i586-p.exe.exe
2008-02-17 21:53 . 2008-02-17 21:53 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-02-17 21:53 . 2008-02-17 21:54 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-02-17 21:02 . 2002-09-20 10:53 235,100 --a------ C:\WINDOWS\system32\drivers\MidiSyn.sys
2008-02-17 21:01 . 2008-02-17 21:01 <DIR> d-------- C:\WINDOWS\VirtualEar
2008-02-17 21:01 . 2008-02-17 21:01 <DIR> d-------- C:\Program Files\Analog Devices
2008-02-17 21:01 . 2001-09-11 15:20 1,285,632 --a------ C:\WINDOWS\system32\SMMedia.dll
2008-02-17 21:01 . 2001-09-19 13:47 765,952 --a------ C:\WINDOWS\system\crlds3d.dll
2008-02-17 21:01 . 2001-09-19 13:47 720,896 --a------ C:\WINDOWS\system32\Audio3d.dll
2008-02-17 21:01 . 2003-06-02 13:42 578,304 --a------ C:\WINDOWS\system32\drivers\smwdm.sys
2008-02-17 21:01 . 2003-03-13 18:34 100,224 --a------ C:\WINDOWS\system32\drivers\aeaudio.sys
2008-02-17 21:01 . 2003-01-08 11:23 49,152 --a------ C:\WINDOWS\system32\DSndUp.exe
2008-02-17 21:01 . 2002-04-17 15:05 45,056 --a------ C:\WINDOWS\system32\CleanUp.exe
2008-02-17 21:01 . 2001-09-11 15:20 30,208 --a------ C:\WINDOWS\system32\wdmioctl.dll
2008-02-17 21:01 . 2003-03-13 15:40 3,744 --a------ C:\WINDOWS\system32\drivers\smsens.sys
2008-02-17 20:34 . 2008-02-18 23:21 <DIR> d-------- C:\temp\WinLicenseDemo
2008-02-17 18:53 . 2008-02-17 18:53 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-02-17 16:44 . 2007-12-04 14:04 837,496 --a------ C:\WINDOWS\system32\aswBoot.exe
2008-02-17 16:44 . 2007-12-04 13:54 95,608 --a------ C:\WINDOWS\system32\AvastSS.scr
2008-02-17 16:44 . 2007-12-04 15:55 94,544 --a------ C:\WINDOWS\system32\drivers\aswmon2.sys
2008-02-17 16:44 . 2007-12-04 15:56 93,264 --a------ C:\WINDOWS\system32\drivers\aswmon.sys
2008-02-17 16:44 . 2007-12-04 15:51 42,912 --a------ C:\WINDOWS\system32\drivers\aswTdi.sys
2008-02-17 16:44 . 2007-12-04 15:49 26,624 --a------ C:\WINDOWS\system32\drivers\aavmker4.sys
2008-02-17 16:44 . 2007-12-04 15:53 23,152 --a------ C:\WINDOWS\system32\drivers\aswRdr.sys
2008-02-17 13:35 . 2008-02-17 13:35 55 --a------ C:\WINDOWS\regrunfix.rnr
2008-02-17 03:58 . C:\WINDOWS\(2) C:\ComboFix\winstart.bat
2008-02-16 23:10 . 2008-02-16 23:12 <DIR> d-------- C:\Documents and Settings\Joakim\Application Data\PrevxCSI
2008-02-16 09:09 . 2008-02-16 21:37 <DIR> d-------- C:\WINDOWS\BDOSCAN8
2008-02-15 16:31 . 2008-02-17 14:18 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2008-02-15 16:30 . 2008-02-15 22:55 <DIR> d-------- C:\Documents and Settings\Joakim\.housecall6.6
2008-02-15 15:20 . 2008-02-22 08:52 <DIR> d-------- C:\Program Files\Trojan Remover
2008-02-15 15:20 . 2008-02-15 15:20 <DIR> d-------- C:\Documents and Settings\Joakim\Application Data\Simply Super Software
2008-02-15 15:20 . 2008-02-15 15:20 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Simply Super Software
2008-02-15 15:20 . 2006-05-25 14:52 162,304 --a------ C:\WINDOWS\system32\ztvunrar36.dll
2008-02-15 15:20 . 2003-02-02 19:06 153,088 --a------ C:\WINDOWS\system32\UNRAR3.dll
2008-02-15 15:20 . 2005-08-26 00:50 77,312 --a------ C:\WINDOWS\system32\ztvunace26.dll
2008-02-15 15:20 . 2002-03-06 00:00 75,264 --a------ C:\WINDOWS\system32\unacev2.dll
2008-02-15 15:20 . 2006-06-19 12:01 69,632 --a------ C:\WINDOWS\system32\ztvcabinet.dll
2008-02-15 00:12 . 2008-02-15 00:11 407,680 --a------ C:\temp\aswclnr.exe
2008-02-14 22:43 . 2008-02-17 15:49 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-02-14 22:27 . 2008-02-14 22:38 21,364,592 --a------ C:\temp\aaw2007.exe
2008-02-14 22:22 . 2008-02-14 22:22 17,255,626 --a------ C:\temp\WinLicenseDemo.zip
2008-02-14 12:41 . 2008-02-14 12:41 499,712 --a------ C:\WINDOWS\system32\ExSlider.dll
2008-02-14 12:41 . 2008-02-14 12:41 203,488 --a------ C:\WINDOWS\system32\ExSlider.chm
2008-02-14 12:40 . 2008-02-14 12:40 573,440 --a------ C:\WINDOWS\system32\ExStatusBar.dll
2008-02-14 12:40 . 2008-02-14 12:40 436,674 --a------ C:\WINDOWS\system32\ExStatusBar.chm
2008-02-14 12:39 . 2008-02-14 12:39 434,176 --a------ C:\WINDOWS\system32\ExThumbnail.dll
2008-02-14 12:34 . 2008-02-14 12:34 331,776 --a------ C:\WINDOWS\system32\ExTexture.dll
2008-02-14 12:34 . 2008-02-14 12:34 102,224 --a------ C:\WINDOWS\system32\ExTexture.chm
2008-02-14 12:31 . 2008-02-14 12:31 172,032 --a------ C:\WINDOWS\system32\MaskEdit.dll
2008-02-14 12:31 . 2008-02-14 12:31 53,672 --a------ C:\WINDOWS\system32\MaskEdit.chm
2008-02-14 12:28 . 2008-02-14 12:28 <DIR> d-------- C:\Program Files\Copy of EXECryptor
2008-02-13 14:50 . 2008-02-13 14:50 389,120 --a------ C:\WINDOWS\system32\ExCalc.dll
2008-02-13 14:50 . 2008-02-13 14:50 84,478 --a------ C:\WINDOWS\system32\ExCalc.chm
2008-02-13 14:42 . 2008-02-13 14:42 479,232 --a------ C:\WINDOWS\system32\ExRolList.dll
2008-02-13 14:42 . 2008-02-13 14:42 210,902 --a------ C:\WINDOWS\system32\ExRolList.CHM
2008-02-13 14:03 . 2008-02-13 14:03 225,280 --a------ C:\WINDOWS\system32\ExShellView.dll
2008-02-13 14:03 . 2008-02-13 14:03 83,770 --a------ C:\WINDOWS\system32\ExShellView.chm
2008-02-13 13:58 . 2008-02-13 13:58 397,312 --a------ C:\WINDOWS\system32\ExFolderView.dll
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-24 09:24 --------- d-----w C:\Documents and Settings\Joakim\Application Data\VMware
2008-02-23 22:58 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-02-23 02:48 --------- d-----w C:\Documents and Settings\Joakim\Application Data\uTorrent
2008-02-22 08:01 --------- d-----w C:\Program Files\SpywareBlaster
2008-02-20 01:00 --------- d-----w C:\Documents and Settings\NetworkService\Application Data\VMware
2008-02-20 01:00 --------- d-----w C:\Documents and Settings\All Users\Application Data\VMware
2008-02-19 23:57 --------- d-----w C:\Program Files\SpywareGuard
2008-02-18 14:03 --------- d-----w C:\Documents and Settings\Joakim\Application Data\Skype
2008-02-17 23:36 --------- d-----w C:\Program Files\SpeedFan
2008-02-17 22:19 --------- d-----w C:\Program Files\Java
2008-02-17 20:01 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-02-17 17:54 --------- d-----w C:\Program Files\Lavasoft
2008-02-16 20:50 --------- d-----w C:\Program Files\Windows Desktop Search
2008-02-14 23:04 --------- d-----w C:\Program Files\WYSIWYG Web Builder 4.0
2008-02-14 21:29 --------- d-----w C:\Documents and Settings\Joakim\Application Data\Lavasoft
2008-02-14 11:41 --------- d-----w C:\Program Files\Exontrol
2008-02-14 11:29 --------- d-----w C:\Program Files\EXECryptor
2008-02-12 23:23 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-02-12 09:16 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-02-11 17:37 --------- d-----w C:\Program Files\MSDN
2008-02-11 17:24 --------- d-----w C:\Program Files\Microsoft SQL Server
2008-02-11 17:21 --------- d-----w C:\Program Files\Microsoft.NET
2008-02-11 16:58 --------- d-----w C:\Program Files\Common Files\Merge Modules
2008-02-11 16:53 --------- d-----w C:\Program Files\MSBuild
2008-02-10 23:43 --------- d-----w C:\Program Files\FlashFXP
2008-02-01 20:16 --------- d-----w C:\Program Files\TortoiseCVS
2008-01-24 13:35 --------- d-----w C:\Program Files\WYSIWYG Web Builder 5
2008-01-23 15:27 737,280 ----a-w C:\WINDOWS\iun6002.exe
2008-01-23 12:11 --------- d-----w C:\Program Files\Effective Studios
2008-01-10 19:29 --------- d-----w C:\Documents and Settings\Joakim\Application Data\vlc
2008-01-04 22:28 --------- d-----w C:\Documents and Settings\Joakim\Application Data\VanDyke
2008-01-03 22:10 --------- d-----w C:\Program Files\Skype
2008-01-01 22:02 --------- d-----w C:\Program Files\TortoiseSVN
2007-12-24 01:22 --------- d-----w C:\Documents and Settings\Joakim\Application Data\phpDesigner 2008
2007-12-24 01:15 --------- d-----w C:\Program Files\phpDesigner 2008
2007-05-01 15:12 79,245 ----a-w C:\Documents and Settings\Joakim\Application Data\unins000.dat
2007-05-01 15:11 683,801 ----a-w C:\Documents and Settings\Joakim\Application Data\unins000.exe
2007-08-26 00:41 23 --sha-w C:\WINDOWS\system32\abbdadee_r.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\1TortoiseSVN]
@={30351346-7B7D-4FCC-81B4-1E394CA267EB}
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\2TortoiseSVN]
@={30351347-7B7D-4FCC-81B4-1E394CA267EB}
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\3TortoiseSVN]
@={30351348-7B7D-4FCC-81B4-1E394CA267EB}
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\4TortoiseSVN]
@={3035134B-7B7D-4FCC-81B4-1E394CA267EB}
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\5TortoiseSVN]
@={3035134C-7B7D-4FCC-81B4-1E394CA267EB}
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\6TortoiseSVN]
@={3035134D-7B7D-4FCC-81B4-1E394CA267EB}
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\7TortoiseSVN]
@={3035134E-7B7D-4FCC-81B4-1E394CA267EB}
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\TortoiseCVS0]
@={5d1cb710-1c4b-11d4-bed5-005004b1f42f}
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\TortoiseCVS1]
@={5d1cb711-1c4b-11d4-bed5-005004b1f42f}
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\TortoiseCVS2]
@={5d1cb712-1c4b-11d4-bed5-005004b1f42f}
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\TortoiseCVS3]
@={5d1cb713-1c4b-11d4-bed5-005004b1f42f}
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\TortoiseCVS4]
@={5d1cb714-1c4b-11d4-bed5-005004b1f42f}
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\TortoiseCVS5]
@={5d1cb715-1c4b-11d4-bed5-005004b1f42f}
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\TortoiseCVS6]
@={5d1cb716-1c4b-11d4-bed5-005004b1f42f}
[HKEY_CLASSES_ROOT\CLSID\{30351346-7B7D-4FCC-81B4-1E394CA267EB}]
2007-12-21 21:53 536576 --a------ C:\Program Files\TortoiseSVN\bin\tortoisesvn.dll
[HKEY_CLASSES_ROOT\CLSID\{30351347-7B7D-4FCC-81B4-1E394CA267EB}]
2007-12-21 21:53 536576 --a------ C:\Program Files\TortoiseSVN\bin\tortoisesvn.dll
[HKEY_CLASSES_ROOT\CLSID\{30351348-7B7D-4FCC-81B4-1E394CA267EB}]
2007-12-21 21:53 536576 --a------ C:\Program Files\TortoiseSVN\bin\tortoisesvn.dll
[HKEY_CLASSES_ROOT\CLSID\{3035134B-7B7D-4FCC-81B4-1E394CA267EB}]
2007-12-21 21:53 536576 --a------ C:\Program Files\TortoiseSVN\bin\tortoisesvn.dll
[HKEY_CLASSES_ROOT\CLSID\{3035134C-7B7D-4FCC-81B4-1E394CA267EB}]
2007-12-21 21:53 536576 --a------ C:\Program Files\TortoiseSVN\bin\tortoisesvn.dll
[HKEY_CLASSES_ROOT\CLSID\{3035134D-7B7D-4FCC-81B4-1E394CA267EB}]
2007-12-21 21:53 536576 --a------ C:\Program Files\TortoiseSVN\bin\tortoisesvn.dll
[HKEY_CLASSES_ROOT\CLSID\{3035134E-7B7D-4FCC-81B4-1E394CA267EB}]
2007-12-21 21:53 536576 --a------ C:\Program Files\TortoiseSVN\bin\tortoisesvn.dll
[HKEY_CLASSES_ROOT\CLSID\{5d1cb710-1c4b-11d4-bed5-005004b1f42f}]
2007-12-02 22:00 1421312 --a------ C:\Program Files\TortoiseCVS\TortoiseShell.dll
[HKEY_CLASSES_ROOT\CLSID\{5d1cb711-1c4b-11d4-bed5-005004b1f42f}]
2007-12-02 22:00 1421312 --a------ C:\Program Files\TortoiseCVS\TortoiseShell.dll
[HKEY_CLASSES_ROOT\CLSID\{5d1cb712-1c4b-11d4-bed5-005004b1f42f}]
2007-12-02 22:00 1421312 --a------ C:\Program Files\TortoiseCVS\TortoiseShell.dll
[HKEY_CLASSES_ROOT\CLSID\{5d1cb713-1c4b-11d4-bed5-005004b1f42f}]
2007-12-02 22:00 1421312 --a------ C:\Program Files\TortoiseCVS\TortoiseShell.dll
[HKEY_CLASSES_ROOT\CLSID\{5d1cb714-1c4b-11d4-bed5-005004b1f42f}]
2007-12-02 22:00 1421312 --a------ C:\Program Files\TortoiseCVS\TortoiseShell.dll
[HKEY_CLASSES_ROOT\CLSID\{5d1cb715-1c4b-11d4-bed5-005004b1f42f}]
2007-12-02 22:00 1421312 --a------ C:\Program Files\TortoiseCVS\TortoiseShell.dll
[HKEY_CLASSES_ROOT\CLSID\{5d1cb716-1c4b-11d4-bed5-005004b1f42f}]
2007-12-02 22:00 1421312 --a------ C:\Program Files\TortoiseCVS\TortoiseShell.dll
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 08:56 15360]
"Registry"="C:\Program Files\Greatis\RegRunSuite\lsoon.exe" [2008-02-13 11:40 390656]
"Regrun2"="C:\PROGRA~1\Greatis\REGRUN~1\WatchDog.exe" [2008-02-13 11:41 356864]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe" [2003-05-29 16:28 790528]
"vmware-tray"="C:\Program Files\VMware\VMware Workstation\vmware-tray.exe" [2007-05-01 21:52 68400]
"VMware hqtray"="C:\Program Files\VMware\VMware Workstation\hqtray.exe" [2007-05-01 21:52 56112]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:50 155648]
"RegRun WinBait"="C:\WINDOWS\winbait.exe" [2000-12-12 19:56 16384]
"@RegRunOnSecure"="C:\PROGRA~1\Greatis\REGRUN~1\OnSecure.exe" [2003-01-22 11:03 57856]
C:\Documents and Settings\Joakim\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk.disabled [2008-02-23 02:57:40 767]
SpeedFan.lnk.disabled [2006-03-04 16:49:13 682]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Acrobat Assistant.lnk.disabled [2006-02-03 00:05:49 1824]
Dispatcher.lnk.disabled [2006-04-05 16:01:09 856]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{F552DDE6-2090-4bf4-B924-6141E87789A5}"= C:\Program Files\Greatis\RegRunSuite\RRShell.dll [2004-11-02 09:15 368711]
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 setuid
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"ATI Smart"=2 (0x2)
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"SoundMAX"="C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
"VMware hqtray"="C:\Program Files\VMware\VMware Workstation\hqtray.exe"
"vmware-tray"=C:\Program Files\VMware\VMware Workstation\vmware-tray.exe
"avast!"=C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Program Files\\uTorrent\\uTorrent.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowOutboundDestinationUnreachable"= 0 (0x0)
R0 hotcore3;hotcore3;C:\WINDOWS\system32\drivers\hotcore3.sys [2007-03-07 12:27]
S0 Partizan;Partizan;C:\WINDOWS\system32\drivers\Partizan.sys [2008-02-23 15:04]
S2 SQLWriter;SQL Server VSS Writer;"c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe" [2007-02-10 05:29]
S2 tcaicchg;tcaicchg;C:\WINDOWS\System32\tcaicchg.sys [2000-06-06 11:08]
S2 TCAITDI;TCAITDI Protocol;C:\WINDOWS\system32\DRIVERS\TCAITDI.sys [2001-09-04 04:22]
S3 GTwinUSB;GTwinUSB;C:\WINDOWS\system32\Drivers\GTwinUSB.sys [2002-10-04 11:21]
S3 LCcfltr;Logitech USB Filter Driver;C:\WINDOWS\system32\Drivers\LCcFltr.Sys [2004-03-03 08:50]
S3 MBAMCatchMe;MBAMCatchMe;C:\Program Files\Malwarebytes' Anti-Malware\catchme.sys []
S3 RegGuard;RegGuard;C:\WINDOWS\system32\Drivers\regguard.sys [2008-02-24 10:58]
S3 VSPerfDrv90;Performance Tools Driver 9.0;C:\Program Files\Microsoft Visual Studio 9.0\Team Tools\Performance Tools\VSPerfDrv90.sys [2007-09-04 16:53]
S4 msvsmon80;Visual Studio 2005 Remote Debugger;"C:\Program Files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe" [2006-12-02 05:17]
S4 msvsmon90;Visual Studio 2008 Remote Debugger;"C:\Program Files\Microsoft Visual Studio 9.0\Common7\IDE\Remote Debugger\x86\msvsmon.exe" [2007-11-07 08:58]
.
Contents of the 'Scheduled Tasks' folder
"2008-02-17 15:06:35 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-02-17 15:06:24 C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job"
- C:\Program Files\Windows Live Toolbar\MSNTBUP.EXE
.
**************************************************************************
catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-24 10:58:14
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\TortoiseSVN\bin\TSVNCache.exe
.
**************************************************************************
.
Completion time: 2008-02-24 11:05:41 - machine was rebooted
ComboFix2.txt 2008-02-23 03:09:59
ComboFix3.txt 2008-02-22 03:26:54
ComboFix4.txt 2008-02-21 21:57:46
ComboFix5.txt 2008-02-21 21:10:53
.
2008-02-12 23:25:53 --- E O F ---
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:33, on 2008-02-24
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\TortoiseSVN\bin\TSVNCache.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: Microsoft Web Test Recorder 9.0 Helper - {E31CE47F-C268-41ba-897B-B415E613947D} - C:\Program Files\Microsoft Visual Studio 9.0\Common7\IDE\PrivateAssemblies\Microsoft.VisualStudio.QualityTools.RecorderBarBHO90.dll
O2 - BHO: FlashFXP Helper for Internet Explorer - {E5A1691B-D188-4419-AD02-90002030B8EE} - C:\PROGRA~1\FlashFXP\IEFlash.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [vmware-tray] C:\Program Files\VMware\VMware Workstation\vmware-tray.exe
O4 - HKLM\..\Run: [VMware hqtray] "C:\Program Files\VMware\VMware Workstation\hqtray.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RegRun WinBait] C:\WINDOWS\winbait.exe
O4 - HKLM\..\Run: [@RegRunOnSecure] C:\PROGRA~1\Greatis\REGRUN~1\OnSecure.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Registry] "C:\Program Files\Greatis\RegRunSuite\lsoon.exe" -1 30 "C:\Program Files\Greatis\RegRunSuite\rescue.exe" /a "J:\backreg\rstore.ini"
O4 - HKCU\..\Run: [Regrun2] C:\PROGRA~1\Greatis\REGRUN~1\WatchDog.exe
O4 - Startup: ERUNT AutoBackup.lnk.disabled
O4 - Startup: SpeedFan.lnk.disabled
O4 - Global Startup: Acrobat Assistant.lnk.disabled
O4 - Global Startup: Dispatcher.lnk.disabled
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O15 - Trusted Zone: *.astrocalc.com
O16 - DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} (F-Secure Online Scanner 3.1) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase370.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1189011463281
O17 - HKLM\System\CCS\Services\Tcpip\..\{AB6B7C91-5A89-46B0-83B7-4A6328408ED3}: NameServer = 213.226.224.12,213.226.224.66
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Paradigma Software\Bonjour\mDNSResponder.exe
O23 - Service: CVSNT Locking Service 2.5.03.2382 (cvslock) - Unknown owner - C:\Program Files\CVSNT\cvslock.exe
O23 - Service: CVSNT Dispatch service 2.5.03.2382 (cvsnt) - March Hare Software Ltd - C:\Program Files\CVSNT\cvsservice.exe
O23 - Service: PDAgent - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
O23 - Service: PDEngine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
--
End of file - 7426 bytes
steamwiz
2008-02-24, 14:00
Hi
There are more registry values I have found though that gets recreated, basically variants of some from that other case (which I been too busy with logs to look fully at yet). Do you want me to export these as well?
Post them please ...
Ok here are fresh CF and HJT logs, CF first and then HJT. Regrun also produced some interesting logs as well which you might be interested in looking at, including a boot log and others I think - but it's quite much data so maybe you don't want me to post it here?
Yes please ... post it all ... if there's nothing you don't want posted on open forum in it.
I'll have a look through it, & others may want to as well...
Can you run a new KAV scan as well please ... no need to post any of the log if it's clean ... if not just post the infected lines ...
As it's Sunday I wont be on-line all day, but I'll keep checking back whenever I get the chance
thanks
steam
I will run a kav but last time it took 20 hours, but it might have been due to the infection - although I do have a big system :alien:
As you said, it's sunday. I have written a separrate report I will post next, then I will come with more logs later. But now my girlfriend will kill me if I don't get out with her :angel:
Some tighing up comments about the removal. There were 2 identical infectors to remove actually, the one that popped up the "select file" dialog, which I assume is the original of the dropped copy, and the backup I belive. As I never let it bloom in a full blown infection I am not sure about the later behaviour here though. It seem though that initially the parent infector that was run picked my display driver's control util to replace. I cannot tell for sure, but I rebooted a few times before I got a hunch that ATI dll had a take in the party and I was not able to track more then 1 extra copy of the trigger. My belive is that it simply check if it has a sibbling and if not it pick a new one, on boot.
Your pointer to that other threed was much helpful to figure out the final link in the regeneration, that it copied itself into another startup file and took its place. I had the rest figured out and eventually Imay had come to that discovery as well, but heck why wait ;-) thanks a lot.
The actual blocking of and then removal was only possible with the help of IceSword and RegRun. Initially it didn't allow IceSword to run and it was RegRun that really caught it in the first place, even if it wasn't able to eliminate it fully by its own. Only with IceSword I was able to kill the hooked dialog process, but I am mighty impressed by RegRun and possibly I am just too new and unfamilar with this tool to use its full potential. I ran the free, somewhat limited version first, which lead me on the track, while Spybot and ComboFix just went round in circles. These are great tools though, not to be mistaken about that, but it was after I installed RegRun 5.7 Platinum for a 30 days trail I started to get somewere with it and I will definately buy this tool after my trail (or even sooner)!
So while computer was hanging on the file select dialog, I killed with Icesword first the backup file process and then the file process hooking the dialog. Now the thing is, and I don't know if this is a coincident or not, but the backup process was actually RegRun's watchdog.exe file which seem to have slipped through. I found the backup by making a system wide search for files with about th same size. There was several files with same size, but the backup can be separated out as it has the same green icon. I tested all these same size files at jotti's and the others where clean although they may as well just be empty corps - I can't really tell as I have run just the minimal since the firs incident so at this point I actually don't know how much damage has been done. Valuable to knowas well is that as jotti, only AVG and VBA32 was able to flag the original infector, the very first ran exe file. Apart from these 2, also Ikarus and Cprotect (I think it's called) flagged the dropped copy as infected. At viruscontrol, also Avira flagged the the original infector (although not at jotti, same file uploaded).
As for Regrun's watchguard, I expanded the setup file and copied a fresh watchguard.exe into Regruns program dir and then simply double clicked to start it and it seemed to take up it's duties again ;-) this might be a very important step, incase original watchdog.exe is lost to the bug as we will see soon.
After that I cleaned up all known places in registry with Icesword, meanwhile Regrun watched everything in the background and let me decide what to allow and not. When done I used "Reboot and Monitor" in Icesword and now comes next surprice as when booting up RegRun flagged for a driver file infected with Almanahe.D and had my kill it on a new reboot. If this was a part of the initial infection is hard to tell for me, but I assume with all the different scans I have done the last days (6-7 online scans, and several local scans with Avast and 3-4 other wellknown anti-malware scanners I downloaded and tested) it would have been found earlier. Well it makes sense as Regrun catched it now but not 10 minutes earlier ;-)
Ok so far so good, I think my computer is "safe" for now but damage need to be evaluated, I know there are some faults with registry keys. But it's a nice sunny sunday, so I will close down all systems and go for a long refreshing walk also cleaning out my thoughts ;-) and we can start next phase tohight or maybe tomorrow. Just let me know if there is something special you want me to do?
Btw, when running ComboFix I disabled Regrun but missed the RegGuard, but it seem to have interact with CF in a nice way and let it run after my approval. Before that I actually did disable regguard from that dialog. On reboot Regrun took control again and flagged CF in an early state. I clicked to add it to the ignore list and then selcted it to be a false positive, and Regrun then flagged to reboot to "disinfect". Maybe a bad selection of wording in this scenerio when there is nothing bad to deal with but I guess the reboot is necessary. So reboot and Regrun left ComboFix alone to do it's job and I think it all came out well. They both funcined with exelency here!
I am not affilated in any way, but I feel like saying it again, I strongly recomend RegRun. There is a free functional version with some none functional parts, it helped me at the very first stage. At that stage I was suspisious about anything, especially if it had an installer so I didn't try the fully function setup then. But now I would recommend that one as although it brings a minor cost after the free 30 days, it's a penny of all it can save you from further on! And it isn't really expensive either ;-) and again, I understand this almost sounds like advertizing but I like to stress that I am not affilated in any way - just a very happy user as I realize this could have ended in a horror.
steamwiz
2008-02-24, 23:26
HI
Thank you for the write-up/report, I'm sure it will help many people.
Normally I'd be telling you what to delete to clean up now, but I think you are more than capable of deciding for yourself ...
The file you uploaded for me was 0 bytes ... can you upload it again please...
2008-02-14 22:22 . 2008-02-14 22:22 17,255,626 --a------ C:\temp\WinLicenseDemo.zip < is this it ?
2008-02-22 11:51 . 2008-02-22 11:55 <DIR> d-------- C:\WinLicense <<< is this your legit version ?
2008-02-15 00:12 . 2008-02-15 00:11 407,680 --a------ C:\temp\aswclnr.exe < avast! Virus Cleaner Tool - The latest version is 1.0.211, built on 11.5.2007. Size: 398 KB ... 407,680 is a little on the large size - check it out or delete it.
These look like legit setup files you have saved in the temp folder, saving files in a temp folder is a good way to loose them, many cleanup programs delete all files in temp folders... if you want to keep these - move them somewhere more permanent.
2008-02-18 00:53 . 2008-02-18 00:53 2,062,665 --a------ C:\temp\spywareguardsetup.exe
2008-02-18 00:42 . 2008-02-18 00:43 2,566,736 --a------ C:\temp\spywareblastersetup351.exe
2008-02-17 23:14 . 2008-02-17 23:13 15,852,952 --a------ C:\temp\jre-6u4-windows-i586-p.exe.exe
2008-02-14 22:27 . 2008-02-14 22:38 21,364,592 --a------ C:\temp\aaw2007.exe
2007-08-26 00:41 23 --sha-w C:\WINDOWS\system32\abbdadee_r.dll < delete this
This key also needs to be reset :-
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 setuid
To :-
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"Authentication Packages"=hex(7):6d,73,76,31,5f,30,00,00
A reg file like this will do it :-
====
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"Authentication Packages"=hex(7):6d,73,76,31,5f,30,00,00
====
a couple of other things ...
1. You mentioned the registry keys you saw were not quite the same as in the write-up I pointed you to ... would you post the registry keys you are referring to please...
2. This infection disabled safemode, but you appear to have it back OK ?
If you are having any problems with that, please run Safeboot repair by sUBs:
http://download.bleepingcomputer.com/sUBs/SafeBootKeyRepair.exe
I think that's it...
steam
HI
Thank you for the write-up/report, I'm sure it will help many people.
Normally I'd be telling you what to delete to clean up now, but I think you are more than capable of deciding for yourself ...
The file you uploaded for me was 0 bytes ... can you upload it again please...
Hmm I assume you talk about the file uploaded to bleepingcomputer? was it winlicense.zip or you got a winlicense.exe as 0 ? I ask as at the time I was a bit tired in my head ;-) and first tried to upload the exe twice with error result before my brain kicked in and told me to zip it.
2008-02-14 22:22 . 2008-02-14 22:22 17,255,626 --a------ C:\temp\WinLicenseDemo.zip < is this it ?
2008-02-22 11:51 . 2008-02-22 11:55 <DIR> d-------- C:\WinLicense <<< is this your legit version ?
The latter is my legit, the other is the official demo I downloaded just to compare.
2008-02-15 00:12 . 2008-02-15 00:11 407,680 --a------ C:\temp\aswclnr.exe < avast! Virus Cleaner Tool - The latest version is 1.0.211, built on 11.5.2007. Size: 398 KB ... 407,680 is a little on the large size - check it out or delete it.
It's their trojan scan and remover tool, pretty useless actually and it has been deleted. Actually I removed Avast completely in favour of AVG Free as it (together with VBA32 and RegRun) was the only scanners that picked up the original infection.
These look like legit setup files you have saved in the temp folder, saving files in a temp folder is a good way to loose them, many cleanup programs delete all files in temp folders... if you want to keep these - move them somewhere more permanent.
2008-02-18 00:53 . 2008-02-18 00:53 2,062,665 --a------ C:\temp\spywareguardsetup.exe
2008-02-18 00:42 . 2008-02-18 00:43 2,566,736 --a------ C:\temp\spywareblastersetup351.exe
2008-02-17 23:14 . 2008-02-17 23:13 15,852,952 --a------ C:\temp\jre-6u4-windows-i586-p.exe.exe
2008-02-14 22:27 . 2008-02-14 22:38 21,364,592 --a------ C:\temp\aaw2007.exe
It's more of my private temp folder actually were I put anything new or unknown unless they have a proper place already. But you are right, maybe I should rename it to something else as this is files I want to control myself when to delete.
2007-08-26 00:41 23 --sha-w C:\WINDOWS\system32\abbdadee_r.dll < delete this
I also found in system32 this file: adffbdceebefb3_r.ocx 1kb and it looks to me as a candidate for deletion as well?
Then I have one C:\LogFile.Etl with the enourmous size of almost 2 gb and it has a time stamp of 2008-02-24 10:21 which is about the time I got back to the computer having had some hours of sleep after finally killing the thing. I just thought if you know anything about this file before I delete it?
a couple of other things ...
1. You mentioned the registry keys you saw were not quite the same as in the write-up I pointed you to ... would you post the registry keys you are referring to please...
Well maybe I expressed myself unclear as english isn't my native lang... What I meant actually was that I didn't have all of the keys listed in that write up. Now it's all gone so I cannot check back but I think the keys as such I had was the same. When I google it I found them to match Bagle.hi and Bagle.iw (or if it was .wi) but if you get the original infector it should be possible to study it in a secure env in more detail I guess.
Things are a bit unclear as I realize I been struggling with this for 10 days (when I really should have done other things, like work) and the first 2-3 days I did it totally on my own as I though I was capable to fix it :red: but at least I managed to stop its propagation.
2. This infection disabled safemode, but you appear to have it back OK ?
If you are having any problems with that, please run Safeboot repair by sUBs:
http://download.bleepingcomputer.com/sUBs/SafeBootKeyRepair.exe
I think that's it...
steam
Well here I think this variant act differently, appreantly it doesn't delete the Safe Mode keys but add junk to them - but I am not sure about that. Originally I couldn't boot into safe more but then somehow it got fixed. At the time I couldn't run almost anything security related but then I managed to get rid of the LEGACY_SROSA keys and I think it was after that I could get into safe mode. However, I later come to realize that somehow (at least certain parts of) the computer belived to still run in safe mode while it actually was in normal mode - got messages like "this service cannot be started in safe more" and similar when trying to install or uninstall certain programs (using services I assume).
I now seem to have fixed this, I did it with help of this url http://blog.didierstevens.com/2007/02/19/restoring-safe-mode-with-a-reg-file/
Do you think I still should run Safeboot repair?
I haven't run a kav scan yet as I thought of manually clean up a bit in my old files as there probably is much that doesn't serve its purpose anymore. I did run a full AVG scan and it found a couple of type trojan.generic and obfustat in my old files, but this is stuff that haven't been touched for years except when it has been moved from an older small HDD to my new big one. It should really have been put on dvd's or deleted but you know how it is with time and computer work.
So now I will reboot with the fixed reg key you gave me as well and I will start to run programs again to see if things works or not. So far I have not run anything except for the most absolute necessary. Then I will reinstall my Outpost Firewall, maybe I will do that first actually to catch any attempt to escape out.
I did uninstall my firewall some month ago as I found it a bit of a resourse hog, and I have another firewall higher up anyway blocking most incoming but nothing outgoing actually. Now there is a new release though so I will give it a chance as I still have a valid license for it. Ok I will get to works with it then... and I haven't had time for the other logs yet, but I will come to it, felt a bit exhousted before after 10 days with too long ours :coffee:
steam, something is still wicked with my system...
After changing that reg key you gave me and rebooted I noticed the following.
1. it took (and still takes) extremely long time to boot.
2. at login, when I click on my user name icon I am actually asked for a password, leaving it blank let me in. Previously I only had to click the icon (I didn't consider a passwd necessary as no one else come to my computer).
3. The Task bar looks different, thinner and using the classic theme. Also no program show up in the task bar (I noticed this later though so not sure if it was like that from start).
4. If I click an url that wants to open IE7 I just get "Connecting..." in the page tab and it stays with that, got ones though a message "server is busy" or something like that, I think it was with AVG, and also with AVG if I check for updates and found, when downloading it say the file is corrupted. Downloading from their site and update from folder works ok. Using IE7 "normaly" works, but if not forced to I am :FF:
I had a look at AVG's pages an ended up at the one about removing malware. I thought for fun to try the procedure there, ran windows clean up and then I downloaded CWShreader, ran just a scan and :oops:
CWS.Smartfinder FOUND
CWS.kjsearch FOUND
Because I am currious I check to move to bin instead of delete and ran Fix
CWS.Smartfinder REMOVED
CWS.kjsearch REMOVED
but nothing showsup in bin, so I uncheck it and do Fix again and again it say removed for these items.
I rebooted and Fix again but same as before.
Now I decide to run Safeboot Repair (log comes next in own post) and I then reboot. This makes the task bar look as before, but still nothing shows up there.
Another thing, I noticed the RegRun icon in tray changed before, it is now back to normal. AVG icon doesn't show up any more. I will also post a fresh HJT log as you probably will ask me to do so ;-)
Also it seem like I cannot copy and paste in this editor, but that is maybe set that way? I can copy and past in my editor.
I meant above if I try to copy something in this editor I cannot paste it back, like copy doesn't take. I can copy in my text editor though and paste it here (using FF).
Reg export of SafeBoot key after repair:
========================
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot]
"AlternateShell"="cmd.exe"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal]
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\aawservice]
@="Service"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\AppMgmt]
@="Service"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\Base]
@="Driver Group"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\Boot Bus Extender]
@="Driver Group"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\Boot file system]
@="Driver Group"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\CryptSvc]
@="Service"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\DcomLaunch]
@="Service"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\dmadmin]
@="Service"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\dmboot.sys]
@="Driver"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\dmio.sys]
@="Driver"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\dmload.sys]
@="Driver"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\dmserver]
@="Service"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\EventLog]
@="Service"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\File system]
@="Driver Group"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\Filter]
@="Driver Group"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\HelpSvc]
@="Service"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\Netlogon]
@="Service"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\PCI Configuration]
@="Driver Group"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\PlugPlay]
@="Service"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\PNP Filter]
@="Driver Group"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\Primary disk]
@="Driver Group"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\PSEXESVC]
@="Service"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\RpcSs]
@="Service"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\SCSI Class]
@="Driver Group"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\sermouse.sys]
@="Driver"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\sr.sys]
@="FSFilter System Recovery"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\SRService]
@="Service"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\System Bus Extender]
@="Driver Group"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\vds]
@="Service"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\vga.sys]
@="Driver"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\vgasave.sys]
@="Driver"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\WinMgmt]
@="Service"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\{36FC9E60-C465-11CF-8056-444553540000}]
@="Universal Serial Bus controllers"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\{4D36E965-E325-11CE-BFC1-08002BE10318}]
@="CD-ROM Drive"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\{4D36E967-E325-11CE-BFC1-08002BE10318}]
@="DiskDrive"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\{4D36E969-E325-11CE-BFC1-08002BE10318}]
@="Standard floppy disk controller"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\{4D36E96A-E325-11CE-BFC1-08002BE10318}]
@="Hdc"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\{4D36E96B-E325-11CE-BFC1-08002BE10318}]
@="Keyboard"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\{4D36E96F-E325-11CE-BFC1-08002BE10318}]
@="Mouse"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\{4D36E977-E325-11CE-BFC1-08002BE10318}]
@="PCMCIA Adapters"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\{4D36E97B-E325-11CE-BFC1-08002BE10318}]
@="SCSIAdapter"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\{4D36E97D-E325-11CE-BFC1-08002BE10318}]
@="System"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\{4D36E980-E325-11CE-BFC1-08002BE10318}]
@="Floppy disk drive"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\{71A27CDD-812A-11D0-BEC7-08002BE2092F}]
@="Volume"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\{745A17A0-74D3-11D0-B6FE-00A0C90F57DA}]
@="Human Interface Devices"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network]
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\aawservice]
@="Service"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\AFD]
@="Service"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\AppMgmt]
@="Service"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\Base]
@="Driver Group"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\Boot Bus Extender]
@="Driver Group"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\Boot file system]
@="Driver Group"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\Browser]
@="Service"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\CryptSvc]
@="Service"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\DcomLaunch]
@="Service"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\Dhcp]
@="Service"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\dmadmin]
@="Service"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\dmboot.sys]
@="Driver"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\dmio.sys]
@="Driver"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\dmload.sys]
@="Driver"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\dmserver]
@="Service"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\DnsCache]
@="Service"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\EventLog]
@="Service"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\File system]
@="Driver Group"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\Filter]
@="Driver Group"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\HelpSvc]
@="Service"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\ip6fw.sys]
@="Driver"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\ipnat.sys]
@="Driver"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\LanmanServer]
@="Service"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\LanmanWorkstation]
@="Service"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\LmHosts]
@="Service"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\Messenger]
@="Service"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\NDIS]
@="Driver Group"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\NDIS Wrapper]
@="Driver Group"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\Ndisuio]
@="Service"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\NetBIOS]
@="Service"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\NetBIOSGroup]
@="Driver Group"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\NetBT]
@="Service"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\NetDDEGroup]
@="Driver Group"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\Netlogon]
@="Service"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\NetMan]
@="Service"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\Network]
@="Driver Group"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\NetworkProvider]
@="Driver Group"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\nm]
@="Service"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\nm.sys]
@="Driver"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\NtLmSsp]
@="Service"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\PCI Configuration]
@="Driver Group"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\PlugPlay]
@="Service"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\PNP Filter]
@="Driver Group"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\PNP_TDI]
@="Driver Group"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\Primary disk]
@="Driver Group"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\PSEXESVC]
@="Service"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\rdpcdd.sys]
@="Driver"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\rdpdd.sys]
@="Driver"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\rdpwd.sys]
@="Driver"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\rdsessmgr]
@="Service"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\RpcSs]
@="Service"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\SCSI Class]
@="Driver Group"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\sermouse.sys]
@="Driver"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\SharedAccess]
@="Service"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\sr.sys]
@="FSFilter System Recovery"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\SRService]
@="Service"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\Streams Drivers]
@="Driver Group"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\System Bus Extender]
@="Driver Group"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\Tcpip]
@="Service"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\TDI]
@="Driver Group"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\tdpipe.sys]
@="Driver"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\tdtcp.sys]
@="Driver"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\termservice]
@="Service"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\UploadMgr]
@="Service"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\vga.sys]
@="Driver"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\vgasave.sys]
@="Driver"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\WinMgmt]
@="Service"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\WZCSVC]
@="Service"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{1a3e09be-1e45-494b-9174-d7385b45bbf5}]
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{36FC9E60-C465-11CF-8056-444553540000}]
@="Universal Serial Bus controllers"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{4D36E965-E325-11CE-BFC1-08002BE10318}]
@="CD-ROM Drive"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{4D36E967-E325-11CE-BFC1-08002BE10318}]
@="DiskDrive"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{4D36E969-E325-11CE-BFC1-08002BE10318}]
@="Standard floppy disk controller"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{4D36E96A-E325-11CE-BFC1-08002BE10318}]
@="Hdc"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{4D36E96B-E325-11CE-BFC1-08002BE10318}]
@="Keyboard"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{4D36E96F-E325-11CE-BFC1-08002BE10318}]
@="Mouse"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}]
@="Net"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{4D36E973-E325-11CE-BFC1-08002BE10318}]
@="NetClient"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{4D36E974-E325-11CE-BFC1-08002BE10318}]
@="NetService"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{4D36E975-E325-11CE-BFC1-08002BE10318}]
@="NetTrans"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{4D36E977-E325-11CE-BFC1-08002BE10318}]
@="PCMCIA Adapters"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{4D36E97B-E325-11CE-BFC1-08002BE10318}]
@="SCSIAdapter"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{4D36E97D-E325-11CE-BFC1-08002BE10318}]
@="System"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{4D36E980-E325-11CE-BFC1-08002BE10318}]
@="Floppy disk drive"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{71A27CDD-812A-11D0-BEC7-08002BE2092F}]
@="Volume"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{745A17A0-74D3-11D0-B6FE-00A0C90F57DA}]
@="Human Interface Devices"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Option]
"OptionValue"=dword:00000001
========================
HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\aawservice
HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\PSEXESVC
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 15:02, on 2008-02-25
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\TortoiseSVN\bin\TSVNCache.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\VMware\VMware Workstation\vmware-tray.exe
C:\Program Files\VMware\VMware Workstation\hqtray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\Greatis\REGRUN~1\WatchDog.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\PROGRA~1\Greatis\REGRUN~1\regrun2.exe
C:\Program Files\TextPad 5\TextPad.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: Microsoft Web Test Recorder 9.0 Helper - {E31CE47F-C268-41ba-897B-B415E613947D} - C:\Program Files\Microsoft Visual Studio 9.0\Common7\IDE\PrivateAssemblies\Microsoft.VisualStudio.QualityTools.RecorderBarBHO90.dll
O2 - BHO: FlashFXP Helper for Internet Explorer - {E5A1691B-D188-4419-AD02-90002030B8EE} - C:\PROGRA~1\FlashFXP\IEFlash.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [vmware-tray] C:\Program Files\VMware\VMware Workstation\vmware-tray.exe
O4 - HKLM\..\Run: [VMware hqtray] "C:\Program Files\VMware\VMware Workstation\hqtray.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RegRun WinBait] C:\WINDOWS\winbait.exe
O4 - HKLM\..\Run: [@RegRunOnSecure] C:\PROGRA~1\Greatis\REGRUN~1\OnSecure.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Registry] "C:\Program Files\Greatis\RegRunSuite\lsoon.exe" -1 30 "C:\Program Files\Greatis\RegRunSuite\rescue.exe" /a "J:\backreg\rstore.ini"
O4 - HKCU\..\Run: [Regrun2] C:\PROGRA~1\Greatis\REGRUN~1\WatchDog.exe
O4 - HKUS\S-1-5-21-1482476501-507921405-725345543-1003\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User '?')
O4 - HKUS\S-1-5-21-1482476501-507921405-725345543-1003\..\Run: [Registry] "C:\Program Files\Greatis\RegRunSuite\lsoon.exe" -1 30 "C:\Program Files\Greatis\RegRunSuite\rescue.exe" /a "J:\backreg\rstore.ini" (User '?')
O4 - HKUS\S-1-5-21-1482476501-507921405-725345543-1003\..\Run: [Regrun2] C:\PROGRA~1\Greatis\REGRUN~1\WatchDog.exe (User '?')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User '?')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - S-1-5-21-1482476501-507921405-725345543-1003 Startup: ERUNT AutoBackup.lnk.disabled (User '?')
O4 - S-1-5-21-1482476501-507921405-725345543-1003 Startup: SpeedFan.lnk.disabled (User '?')
O4 - Startup: ERUNT AutoBackup.lnk.disabled
O4 - Startup: SpeedFan.lnk.disabled
O4 - Global Startup: Acrobat Assistant.lnk.disabled
O4 - Global Startup: Dispatcher.lnk.disabled
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O15 - Trusted Zone: *.astrocalc.com
O16 - DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} (F-Secure Online Scanner 3.1) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase370.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1189011463281
O17 - HKLM\System\CCS\Services\Tcpip\..\{AB6B7C91-5A89-46B0-83B7-4A6328408ED3}: NameServer = 213.226.224.12,213.226.224.66
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Paradigma Software\Bonjour\mDNSResponder.exe
O23 - Service: CVSNT Locking Service 2.5.03.2382 (cvslock) - Unknown owner - C:\Program Files\CVSNT\cvslock.exe
O23 - Service: CVSNT Dispatch service 2.5.03.2382 (cvsnt) - March Hare Software Ltd - C:\Program Files\CVSNT\cvsservice.exe
O23 - Service: PDAgent - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
O23 - Service: PDEngine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
--
End of file - 8420 bytes
I try to uninstall Ad-Aware 2007 as it never worked first installed and also not after reinstall when others like Avast started to work. But Ad-Aware don't want to uninstall, it say:
Add or Remove program
The Windows Installer Service could not be accessed. This can occure if you are running in safe mode, or if the Windows Installer is not correctly installed. Contact your support personnel for assistance.
[OK]
steamwiz
2008-02-25, 23:02
HI
It was this file which was received as 0 bytes :-
C:\temp\WinLicenseDemo.zip (the zip) would appreciate you trying again ...
-
C:\temp is a folder often created by malware to download files to ... there is often so much rubbish in it that I will include deleting the folder completely in a script I give someone ... if any program, legit or malware needs that folder, it will create it.
-
I also found in system32 this file: adffbdceebefb3_r.ocx 1kb and it looks to me as a candidate for deletion as well?
Yes ... delete it.
-
Then I have one C:\LogFile.Etl with the enourmous size of almost 2 gb and it has a time stamp of 2008-02-24 10:21 which is about the time I got back to the computer having had some hours of sleep after finally killing the thing. I just thought if you know anything about this file before I delete it?
Yes I noticed that in the Combofix log ...
2008-02-24 04:34 . 2008-02-24 10:21 1,783,562,240 --a------ C:\LogFile.Etl
I thought it was something you were running to monitor something, Either you or one of the programs you were running was doing a tracelog & dumping it to that file ... probably RegRun.
Take a look at this :-
http://www.wilderssecurity.com/archive/index.php/t-112739.html
If you want to find out more about it, do a google search for LogFile.Etl
http://www.google.com/search?sourceid=navclient&ie=UTF-8&rls=SUNA,SUNA:2005-52,SUNA:en&q=LogFile%2eEtl
-
a couple of other things ...
1. You mentioned the registry keys you saw were not quite the same as in the write-up I pointed you to ... would you post the registry keys you are referring to please...
Well maybe I expressed myself unclear as english isn't my native lang... What I meant actually was that I didn't have all of the keys listed in that write up. Now it's all gone so I cannot check back but I think the keys as such I had was the same. When I google it I found them to match Bagle.hi and Bagle.iw (or if it was .wi) but if you get the original infector it should be possible to study it in a secure env in more detail I guess.
Yes ... absolutely ... that's why we'd appreciate the file ...
-
I was about to post the above, then I saw your next post & all the problems ...
The reg file I gave you couldn't have caused those ...
Regrun is a powerful program, I'm wondering if you accidentally removed some registries which you shouldn't have ?
Bagle can damage/delete the Windows installer ... I can give you a link to the newest version at windows update if you want it ...
But I think the best course of action at the moment is to perform a system restore, to your newest restore point, AFTER removing Bagle ... the one created when you last ran Combofix ...
ComboFix 08-02-24.4 - Joakim 2008-02-24 10:33:16.10 - NTFSx86 MINIMAL
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1592 [GMT 1:00]
Running from: C:\Documents and Settings\Joakim\Desktop\ComboFix.exe
* Created a new restore point
Then reassess the situation from there ...
During that brief time Bagle was installed we can never be sure something wasn't changed/deleted ... you should consider whether a reinstall is an option for you ... it may give you a chance to also get rid all that unwanted junk you mention ...
steam
Windows installer link, yes please as I have problems accessing windows update now.
Logfile.Etl was RegRun yes, a trace I ran.
I know reinstall windows would be a sane act, however it's not really an option now if can be avoided. I don't think there has been any security break but things in registry have been changed no doubt.
I'm not sure I have come to upliad WinlicenseDEmo as that's not the file ;-) I must have been tired... I will upload the file again or maybe I shall upload the whole package as it was found online? It's 14Mb
I downloaded WinlicenseDemo from Oreans to compare it with the cracked set, to see if was based on it.
steamwiz
2008-02-26, 00:52
Hi
How about :-
But I think the best course of action at the moment is to perform a system restore, to your newest restore point, AFTER removing Bagle ... the one created when you last ran Combofix ...
ComboFix 08-02-24.4 - Joakim 2008-02-24 10:33:16.10 - NTFSx86 MINIMAL
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1592 [GMT 1:00]
Running from: C:\Documents and Settings\Joakim\Desktop\ComboFix.exe
* Created a new restore point
Then reassess the situation from there ...
Windows installer :-
http://www.download.com/Microsoft-Windows-Installer/3000-2216_4-10757334.html
Well it looks like I screwed up that restore point... or system restore is on but say it cannot protect my computer - probably because some critical services dont run, also I have no network in control panel and IE7 wont start. Tried to reinstall it but it complains about cryptographic service not running. In other words, something closes down my services or don't allow them to start - any idea?
I do have some registry backups taken with Erunt, can it be good enough you think?
Another thing and maybe it's what is playing here, RegRun again complained about Almanahe.D worm, same as it did on first reboot after bagle was removed.
steamwiz
2008-02-26, 02:08
Combofix created that restore point OK ... if it couldn't create one, it would have said so, so it got messed up AFTER it was created ...
As for the Erunt backups, how old are they ? I noticed somwhere in your logs where Erunt backups were disabled...
cryptographic service not running ?
I had a quick look back over your thread & noticed this as early as post #10 - spybot log ...
http://forums.spybot.info/showpost.php?p=167145&postcount=10
Located: WinLogon, AtiExtEvent
command: Ati2evxx.dll
file: Ati2evxx.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!
Located: WinLogon, crypt32chain
command: crypt32.dll
file: crypt32.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!
Located: WinLogon, cryptnet
command: cryptnet.dll
file: cryptnet.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!
Located: WinLogon, cscdll
command: cscdll.dll
file: cscdll.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!
Located: WinLogon, ScCertProp
command: wlnotify.dll
file: wlnotify.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!
Located: WinLogon, Schedule
command: wlnotify.dll
file: wlnotify.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!
Located: WinLogon, sclgntfy
command: sclgntfy.dll
file: sclgntfy.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!
Located: WinLogon, SensLogn
command: WlNotify.dll
file: WlNotify.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!
Located: WinLogon, termsrv
command: wlnotify.dll
file: wlnotify.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!
Located: WinLogon, WgaLogon
command: WgaLogon.dll
file: WgaLogon.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!
Located: WinLogon, wlballoon
command: wlnotify.dll
file: wlnotify.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!
Are all those files really missing? or 0 bytes ... the MD5 says they are ...
It's midnight again (as you are well aware it's 1am where you are)
So this is a link to some info on the highlighted one ...
http://www.auditmypc.com/process/crypt32.asp
this is looking more & more like a reinstall I'm sorry to say
steam
Yes just to face the facts, it has gone too bad or I screwed it up somewere on my own. I am doing a repair reinstall now and see where it will take me. Hopefully it should leave me somewhat near to where I was before the infection.
I reinstalled with the repair option, it went almost fine. I got some kind of COM+ error during install, but just an OK button so install continue - it couldn't register COM+ I think it was or at least similar. I am then not able to login to my usual account due to "account restrictions" it says, same if booting into safe mode but there it also give me the Administrator account to select and it let me in with my old password and that's were I am now. I haven't tried yet but probably it will let me in at Administrator also in Safe mode with Network.
I thought before I do anything studid now I shall wait for your advice - but don't take to long ;-) The other account is also of admin type, but it has a zero string password, which is stupid I know. It was set up for convinience by the lazy part of me and it has to change of course. But now, I have lots of programs installed in the account so if it can be made functional again it would be great.
I read that Almanahe.D take advantage of a blank or weak password, and as it was flagged before I probably should start from Administrator account now and make sure to clean all such out, well I wait for you to play the ball.
steamwiz
2008-02-26, 23:15
HI
1. The first thing you need to do is visit Windows update & get as least all the critical/security updates ....
2. Then make sure you have an anti-virus installed ... AVG free will be fine, and then run a scan with it ....
3. Make sure you have a 2-way firewall installed...
4. run some on-line virus scanners, at least 2 or 3 ...
Run Bit Defender first ...
http://www.bitdefender.fr/VIRUS-1000219-fr--Win32.Almanahe.D.html
Bit Defender ... http://www.bitdefender.com/scan8/ie.html
Housecall ... http://housecall.trendmicro.com/
Panda http://www.pandasecurity.com/usa/homeusers/solutions/activescan/?sitepanda=particulares
eset ... http://www.eset.eu/online-scanner
Kaspersky ... http://www.kaspersky.com/virusscanner
5. Do some Malware scans ...
spybot
adaware
superantispyware
6. Run & post a Combofix log ... Please follow these directions to run Combofix & post a log.
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
Let me know of any problems along the way ...
Post any logs which show problems ...
steam
It seem like I still have a serious problem, I cannot run IE only FF but the latter is no good for windows update :sad:
I tried to install Windows Installer but it goes to some point and I get an "access denied" error and it roll back everything.
Also as I reinstalled from XP SP2 CD now IE6 is installed. it starts but when I try to go to windowsupdate.microsoft.com I get a message "This file does not have a program associated with it for performing this action. Create an association in the Folder Options control panel". But what to associate with?
Installing IE7 also does not work, it prompt me to restart to role back changes as well and to click a troubleshoot url, whuch doesn't work as IE doesn't work.
I wonder if it can have anything to do with the COM+ error flagged during setup? or can it possibly be this http://windowssecrets.com/2007/09/27/03-Stealth-Windows-update-prevents-XP-repair but that fail too "DllRegisterServer in wuapi.dll failed. REturn code was: 0x80070005" does it turn on any light?
If I just get beyond this I should be pretty well on my own through the scans etc.
I managed to get IE to start and open WU but there it ends as it fail to install Windows Installed 3.1 - something must be missing or screwed in registry. Appearently folder options had been messed with, and I assume it's something similar here.
Ok I think I figured it out basically, the virus changed permision on certain keys. Question is if there is a some what easy was to change them back in batch or it has to be done one by one?
Like IE7 install wrote a log with unwriteable keys.
steamwiz
2008-02-27, 01:41
The trouble with a repair install in your case is that windows doesn'trepair the registry ... just the core files ... Those erunt backups may help ... ?
You should know more about COM+ than me as far as I'm aware it's used when developing application programs.
Can't think of anything else to suggest ... my brains gone dead & I'm tired so I'm off to bed...
good luck
steam
Yes I know what COM+ is :crowned: just wondered if it could affect the system start up in some way, and you know more about that area... anyhow, I have had some progress.
Obviously a lot of places in registry have had their permissions changed and possibly even keys deleted, and maybe more keys/values added. I was able to correct most of this with info from this page:
http://winonline.blogspot.com/2005/11/reset-entire-registry-permissions-to.html
I didn't follow instructions exactly though as I couldn't run msi files and install the tool, but it's just a command line exe anyway... so I used 7z (superior winzip replacement) to unpack the msi package into it's own folder under C:\Program Files and then I created the bat file there and simply double clicked it. Worked as a charm! Howerver there was 6 items that couldn't be reset nor deleted. I am working on that part now.
But after this I was able to install Windows Installer 3.1 and I was also able to install IE7 (although I had to do it twice to get a complete success) which on first install told me to go to WU after restart and there is 87 patches waithing for me but they all fail to install. The WU fix in above post didn't work first due to permission issues, regsvr32 failed, but after resetting registry permissions I could reg those wu*.dll files but WU still fails. I doesn't say why really but from trying to do other installs, like with IE online scans, I am told it cannot be run in Safe Mode.
So there are the main obstacles now, to get Windows understand it actually not is in Safe Mode, and fix, delete probably, that 6 regkeys. As the tool runs in a cmd window it's hard to get any info out but I was able to copy this last part [TO much text so in next post] from the buffer by running just the first line in the bat file, maybe it give you a hint.
Now as I am somewhat runnable again I will get that file uploaded as well, as it may hold answers to manys questions.
SYSTEM\CurrentControlSet\Services\WZCSVC\Enum : delete Perm. ACE 1 builtin\admin
istrators
SYSTEM\CurrentControlSet\Services\WZCSVC\Enum : new ace for builtin\administrato
rs
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WZCSVC\Enum : 2 change(s)
SYSTEM\CurrentControlSet\Services\xmlprov : delete Perm. ACE 1 builtin\administr
ators
SYSTEM\CurrentControlSet\Services\xmlprov : new ace for builtin\administrators
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\xmlprov : 2 change(s)
SYSTEM\CurrentControlSet\Services\xmlprov\Parameters : delete Perm. ACE 1 builti
n\administrators
SYSTEM\CurrentControlSet\Services\xmlprov\Parameters : new ace for builtin\admin
istrators
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\xmlprov\Parameters : 2 chan
ge(s)
SYSTEM\CurrentControlSet\Services\xmlprov\Parameters\SchemaGroups : delete Perm.
ACE 1 builtin\administrators
SYSTEM\CurrentControlSet\Services\xmlprov\Parameters\SchemaGroups : new ace for
builtin\administrators
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\xmlprov\Parameters\SchemaGr
oups : 2 change(s)
SYSTEM\CurrentControlSet\Services\xmlprov\Parameters\SchemaGroups\Branding : del
ete Perm. ACE 1 builtin\administrators
SYSTEM\CurrentControlSet\Services\xmlprov\Parameters\SchemaGroups\Branding : new
ace for builtin\administrators
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\xmlprov\Parameters\SchemaGr
oups\Branding : 2 change(s)
SYSTEM\CurrentControlSet\Services\xmlprov\Parameters\SchemaGroups\Branding\http:
//www.microsoft.com/provisioning/Branding : delete Perm. ACE 1 builtin\administr
ators
SYSTEM\CurrentControlSet\Services\xmlprov\Parameters\SchemaGroups\Branding\http:
//www.microsoft.com/provisioning/Branding : new ace for builtin\administrators
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\xmlprov\Parameters\SchemaGr
oups\Branding\http://www.microsoft.com/provisioning/Branding : 2 change(s)
SYSTEM\CurrentControlSet\Services\xmlprov\Parameters\SchemaGroups\Connection : d
elete Perm. ACE 1 builtin\administrators
SYSTEM\CurrentControlSet\Services\xmlprov\Parameters\SchemaGroups\Connection : n
ew ace for builtin\administrators
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\xmlprov\Parameters\SchemaGr
oups\Connection : 2 change(s)
SYSTEM\CurrentControlSet\Services\xmlprov\Parameters\SchemaGroups\Connection\htt
p://www.microsoft.com/provisioning/BaseEapConnectionPropertiesV1 : delete Perm.
ACE 1 builtin\administrators
SYSTEM\CurrentControlSet\Services\xmlprov\Parameters\SchemaGroups\Connection\htt
p://www.microsoft.com/provisioning/BaseEapConnectionPropertiesV1 : new ace for b
uiltin\administrators
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\xmlprov\Parameters\SchemaGr
oups\Connection\http://www.microsoft.com/provisioning/BaseEapConnectionPropertie
sV1 : 2 change(s)
SYSTEM\CurrentControlSet\Services\xmlprov\Parameters\SchemaGroups\Connection\htt
p://www.microsoft.com/provisioning/EapConnectionPropertiesV1 : delete Perm. ACE
1 builtin\administrators
SYSTEM\CurrentControlSet\Services\xmlprov\Parameters\SchemaGroups\Connection\htt
p://www.microsoft.com/provisioning/EapConnectionPropertiesV1 : new ace for built
in\administrators
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\xmlprov\Parameters\SchemaGr
oups\Connection\http://www.microsoft.com/provisioning/EapConnectionPropertiesV1
: 2 change(s)
SYSTEM\CurrentControlSet\Services\xmlprov\Parameters\SchemaGroups\Connection\htt
p://www.microsoft.com/provisioning/MsChapV2ConnectionPropertiesV1 : delete Perm.
ACE 1 builtin\administrators
SYSTEM\CurrentControlSet\Services\xmlprov\Parameters\SchemaGroups\Connection\htt
p://www.microsoft.com/provisioning/MsChapV2ConnectionPropertiesV1 : new ace for
builtin\administrators
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\xmlprov\Parameters\SchemaGr
oups\Connection\http://www.microsoft.com/provisioning/MsChapV2ConnectionProperti
esV1 : 2 change(s)
SYSTEM\CurrentControlSet\Services\xmlprov\Parameters\SchemaGroups\Connection\htt
p://www.microsoft.com/provisioning/MsPeapConnectionPropertiesV1 : delete Perm. A
CE 1 builtin\administrators
SYSTEM\CurrentControlSet\Services\xmlprov\Parameters\SchemaGroups\Connection\htt
p://www.microsoft.com/provisioning/MsPeapConnectionPropertiesV1 : new ace for bu
iltin\administrators
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\xmlprov\Parameters\SchemaGr
oups\Connection\http://www.microsoft.com/provisioning/MsPeapConnectionProperties
V1 : 2 change(s)
SYSTEM\CurrentControlSet\Services\xmlprov\Parameters\SchemaGroups\Help : delete
Perm. ACE 1 builtin\administrators
SYSTEM\CurrentControlSet\Services\xmlprov\Parameters\SchemaGroups\Help : new ace
for builtin\administrators
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\xmlprov\Parameters\SchemaGr
oups\Help : 2 change(s)
SYSTEM\CurrentControlSet\Services\xmlprov\Parameters\SchemaGroups\Help\http://ww
w.microsoft.com/provisioning/Help : delete Perm. ACE 1 builtin\administrators
SYSTEM\CurrentControlSet\Services\xmlprov\Parameters\SchemaGroups\Help\http://ww
w.microsoft.com/provisioning/Help : new ace for builtin\administrators
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\xmlprov\Parameters\SchemaGr
oups\Help\http://www.microsoft.com/provisioning/Help : 2 change(s)
SYSTEM\CurrentControlSet\Services\xmlprov\Parameters\SchemaGroups\Locations : de
lete Perm. ACE 1 builtin\administrators
SYSTEM\CurrentControlSet\Services\xmlprov\Parameters\SchemaGroups\Locations : ne
w ace for builtin\administrators
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\xmlprov\Parameters\SchemaGr
oups\Locations : 2 change(s)
SYSTEM\CurrentControlSet\Services\xmlprov\Parameters\SchemaGroups\Locations\http
://www.microsoft.com/provisioning/Locations : delete Perm. ACE 1 builtin\adminis
trators
SYSTEM\CurrentControlSet\Services\xmlprov\Parameters\SchemaGroups\Locations\http
://www.microsoft.com/provisioning/Locations : new ace for builtin\administrators
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\xmlprov\Parameters\SchemaGr
oups\Locations\http://www.microsoft.com/provisioning/Locations : 2 change(s)
SYSTEM\CurrentControlSet\Services\xmlprov\Parameters\SchemaGroups\Master : delet
e Perm. ACE 1 builtin\administrators
SYSTEM\CurrentControlSet\Services\xmlprov\Parameters\SchemaGroups\Master : new a
ce for builtin\administrators
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\xmlprov\Parameters\SchemaGr
oups\Master : 2 change(s)
SYSTEM\CurrentControlSet\Services\xmlprov\Parameters\SchemaGroups\Master\http://
www.microsoft.com/provisioning/Master : delete Perm. ACE 1 builtin\administrator
s
SYSTEM\CurrentControlSet\Services\xmlprov\Parameters\SchemaGroups\Master\http://
www.microsoft.com/provisioning/Master : new ace for builtin\administrators
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\xmlprov\Parameters\SchemaGr
oups\Master\http://www.microsoft.com/provisioning/Master : 2 change(s)
SYSTEM\CurrentControlSet\Services\xmlprov\Parameters\SchemaGroups\Register : del
ete Perm. ACE 1 builtin\administrators
SYSTEM\CurrentControlSet\Services\xmlprov\Parameters\SchemaGroups\Register : new
ace for builtin\administrators
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\xmlprov\Parameters\SchemaGr
oups\Register : 2 change(s)
SYSTEM\CurrentControlSet\Services\xmlprov\Parameters\SchemaGroups\Register\http:
//www.microsoft.com/provisioning/Register : delete Perm. ACE 1 builtin\administr
ators
SYSTEM\CurrentControlSet\Services\xmlprov\Parameters\SchemaGroups\Register\http:
//www.microsoft.com/provisioning/Register : new ace for builtin\administrators
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\xmlprov\Parameters\SchemaGr
oups\Register\http://www.microsoft.com/provisioning/Register : 2 change(s)
SYSTEM\CurrentControlSet\Services\xmlprov\Parameters\SchemaGroups\SSID : delete
Perm. ACE 1 builtin\administrators
SYSTEM\CurrentControlSet\Services\xmlprov\Parameters\SchemaGroups\SSID : new ace
for builtin\administrators
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\xmlprov\Parameters\SchemaGr
oups\SSID : 2 change(s)
SYSTEM\CurrentControlSet\Services\xmlprov\Parameters\SchemaGroups\SSID\http://ww
w.microsoft.com/provisioning/SSID : delete Perm. ACE 1 builtin\administrators
SYSTEM\CurrentControlSet\Services\xmlprov\Parameters\SchemaGroups\SSID\http://ww
w.microsoft.com/provisioning/SSID : new ace for builtin\administrators
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\xmlprov\Parameters\SchemaGr
oups\SSID\http://www.microsoft.com/provisioning/SSID : 2 change(s)
SYSTEM\CurrentControlSet\Services\xmlprov\Parameters\SchemaGroups\User : delete
Perm. ACE 1 builtin\administrators
SYSTEM\CurrentControlSet\Services\xmlprov\Parameters\SchemaGroups\User : new ace
for builtin\administrators
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\xmlprov\Parameters\SchemaGr
oups\User : 2 change(s)
SYSTEM\CurrentControlSet\Services\xmlprov\Parameters\SchemaGroups\User\http://ww
w.microsoft.com/provisioning/BaseEapUserPropertiesV1 : delete Perm. ACE 1 builti
n\administrators
SYSTEM\CurrentControlSet\Services\xmlprov\Parameters\SchemaGroups\User\http://ww
w.microsoft.com/provisioning/BaseEapUserPropertiesV1 : new ace for builtin\admin
istrators
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\xmlprov\Parameters\SchemaGr
oups\User\http://www.microsoft.com/provisioning/BaseEapUserPropertiesV1 : 2 chan
ge(s)
SYSTEM\CurrentControlSet\Services\xmlprov\Parameters\SchemaGroups\User\http://ww
w.microsoft.com/provisioning/EapUserPropertiesV1 : delete Perm. ACE 1 builtin\ad
ministrators
SYSTEM\CurrentControlSet\Services\xmlprov\Parameters\SchemaGroups\User\http://ww
w.microsoft.com/provisioning/EapUserPropertiesV1 : new ace for builtin\administr
ators
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\xmlprov\Parameters\SchemaGr
oups\User\http://www.microsoft.com/provisioning/EapUserPropertiesV1 : 2 change(s
)
SYSTEM\CurrentControlSet\Services\xmlprov\Parameters\SchemaGroups\User\http://ww
w.microsoft.com/provisioning/MsChapV2UserPropertiesV1 : delete Perm. ACE 1 built
in\administrators
SYSTEM\CurrentControlSet\Services\xmlprov\Parameters\SchemaGroups\User\http://ww
w.microsoft.com/provisioning/MsChapV2UserPropertiesV1 : new ace for builtin\admi
nistrators
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\xmlprov\Parameters\SchemaGr
oups\User\http://www.microsoft.com/provisioning/MsChapV2UserPropertiesV1 : 2 cha
nge(s)
SYSTEM\CurrentControlSet\Services\xmlprov\Parameters\SchemaGroups\User\http://ww
w.microsoft.com/provisioning/MsPeapUserPropertiesV1 : delete Perm. ACE 1 builtin
\administrators
SYSTEM\CurrentControlSet\Services\xmlprov\Parameters\SchemaGroups\User\http://ww
w.microsoft.com/provisioning/MsPeapUserPropertiesV1 : new ace for builtin\admini
strators
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\xmlprov\Parameters\SchemaGr
oups\User\http://www.microsoft.com/provisioning/MsPeapUserPropertiesV1 : 2 chang
e(s)
SYSTEM\CurrentControlSet\Services\xmlprov\Parameters\SchemaGroups\WirelessProfil
e : delete Perm. ACE 1 builtin\administrators
SYSTEM\CurrentControlSet\Services\xmlprov\Parameters\SchemaGroups\WirelessProfil
e : new ace for builtin\administrators
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\xmlprov\Parameters\SchemaGr
oups\WirelessProfile : 2 change(s)
SYSTEM\CurrentControlSet\Services\xmlprov\Parameters\SchemaGroups\WirelessProfil
e\http://www.microsoft.com/provisioning/WirelessProfile : delete Perm. ACE 1 bui
ltin\administrators
SYSTEM\CurrentControlSet\Services\xmlprov\Parameters\SchemaGroups\WirelessProfil
e\http://www.microsoft.com/provisioning/WirelessProfile : new ace for builtin\ad
ministrators
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\xmlprov\Parameters\SchemaGr
oups\WirelessProfile\http://www.microsoft.com/provisioning/WirelessProfile : 2 c
hange(s)
SYSTEM\CurrentControlSet\Services\{7EB7E0A6-747D-41E5-B3E9-51B238242A17} : delet
e Perm. ACE 1 builtin\administrators
SYSTEM\CurrentControlSet\Services\{7EB7E0A6-747D-41E5-B3E9-51B238242A17} : new a
ce for builtin\administrators
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\{7EB7E0A6-747D-41E5-B3E9-51
B238242A17} : 2 change(s)
SYSTEM\CurrentControlSet\Services\{7EB7E0A6-747D-41E5-B3E9-51B238242A17}\Paramet
ers : delete Perm. ACE 1 builtin\administrators
SYSTEM\CurrentControlSet\Services\{7EB7E0A6-747D-41E5-B3E9-51B238242A17}\Paramet
ers : new ace for builtin\administrators
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\{7EB7E0A6-747D-41E5-B3E9-51
B238242A17}\Parameters : 2 change(s)
SYSTEM\CurrentControlSet\Services\{7EB7E0A6-747D-41E5-B3E9-51B238242A17}\Paramet
ers\Tcpip : delete Perm. ACE 2 builtin\administrators
SYSTEM\CurrentControlSet\Services\{7EB7E0A6-747D-41E5-B3E9-51B238242A17}\Paramet
ers\Tcpip : new ace for builtin\administrators
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\{7EB7E0A6-747D-41E5-B3E9-51
B238242A17}\Parameters\Tcpip : 2 change(s)
SYSTEM\CurrentControlSet\Services\{A315DF94-269F-4F6F-B4FD-1903A31FA824} : delet
e Perm. ACE 1 builtin\administrators
SYSTEM\CurrentControlSet\Services\{A315DF94-269F-4F6F-B4FD-1903A31FA824} : new a
ce for builtin\administrators
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\{A315DF94-269F-4F6F-B4FD-19
03A31FA824} : 2 change(s)
SYSTEM\CurrentControlSet\Services\{A315DF94-269F-4F6F-B4FD-1903A31FA824}\Paramet
ers : delete Perm. ACE 1 builtin\administrators
SYSTEM\CurrentControlSet\Services\{A315DF94-269F-4F6F-B4FD-1903A31FA824}\Paramet
ers : new ace for builtin\administrators
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\{A315DF94-269F-4F6F-B4FD-19
03A31FA824}\Parameters : 2 change(s)
SYSTEM\CurrentControlSet\Services\{A315DF94-269F-4F6F-B4FD-1903A31FA824}\Paramet
ers\Tcpip : delete Perm. ACE 2 builtin\administrators
SYSTEM\CurrentControlSet\Services\{A315DF94-269F-4F6F-B4FD-1903A31FA824}\Paramet
ers\Tcpip : new ace for builtin\administrators
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\{A315DF94-269F-4F6F-B4FD-19
03A31FA824}\Parameters\Tcpip : 2 change(s)
SYSTEM\CurrentControlSet\Services\{AB6B7C91-5A89-46B0-83B7-4A6328408ED3} : delet
e Perm. ACE 1 builtin\administrators
SYSTEM\CurrentControlSet\Services\{AB6B7C91-5A89-46B0-83B7-4A6328408ED3} : new a
ce for builtin\administrators
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\{AB6B7C91-5A89-46B0-83B7-4A
6328408ED3} : 2 change(s)
SYSTEM\CurrentControlSet\Services\{AB6B7C91-5A89-46B0-83B7-4A6328408ED3}\Paramet
ers : delete Perm. ACE 1 builtin\administrators
SYSTEM\CurrentControlSet\Services\{AB6B7C91-5A89-46B0-83B7-4A6328408ED3}\Paramet
ers : new ace for builtin\administrators
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\{AB6B7C91-5A89-46B0-83B7-4A
6328408ED3}\Parameters : 2 change(s)
SYSTEM\CurrentControlSet\Services\{AB6B7C91-5A89-46B0-83B7-4A6328408ED3}\Paramet
ers\Tcpip : delete Perm. ACE 2 builtin\administrators
SYSTEM\CurrentControlSet\Services\{AB6B7C91-5A89-46B0-83B7-4A6328408ED3}\Paramet
ers\Tcpip : new ace for builtin\administrators
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\{AB6B7C91-5A89-46B0-83B7-4A
6328408ED3}\Parameters\Tcpip : 2 change(s)
SYSTEM\CurrentControlSet\Services\{AC9ACD80-8B62-44CA-9C9F-180588B8ACDD} : delet
e Perm. ACE 1 builtin\administrators
SYSTEM\CurrentControlSet\Services\{AC9ACD80-8B62-44CA-9C9F-180588B8ACDD} : new a
ce for builtin\administrators
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\{AC9ACD80-8B62-44CA-9C9F-18
0588B8ACDD} : 2 change(s)
SYSTEM\CurrentControlSet\Services\{AC9ACD80-8B62-44CA-9C9F-180588B8ACDD}\Paramet
ers : delete Perm. ACE 1 builtin\administrators
SYSTEM\CurrentControlSet\Services\{AC9ACD80-8B62-44CA-9C9F-180588B8ACDD}\Paramet
ers : new ace for builtin\administrators
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\{AC9ACD80-8B62-44CA-9C9F-18
0588B8ACDD}\Parameters : 2 change(s)
SYSTEM\CurrentControlSet\Services\{AC9ACD80-8B62-44CA-9C9F-180588B8ACDD}\Paramet
ers\Tcpip : delete Perm. ACE 2 builtin\administrators
SYSTEM\CurrentControlSet\Services\{AC9ACD80-8B62-44CA-9C9F-180588B8ACDD}\Paramet
ers\Tcpip : new ace for builtin\administrators
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\{AC9ACD80-8B62-44CA-9C9F-18
0588B8ACDD}\Parameters\Tcpip : 2 change(s)
SYSTEM\CurrentControlSet\Services\{CBD9838C-BC86-4C69-A2EC-E0194C37955F} : delet
e Perm. ACE 1 builtin\administrators
SYSTEM\CurrentControlSet\Services\{CBD9838C-BC86-4C69-A2EC-E0194C37955F} : new a
ce for builtin\administrators
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\{CBD9838C-BC86-4C69-A2EC-E0
194C37955F} : 2 change(s)
SYSTEM\CurrentControlSet\Services\{CBD9838C-BC86-4C69-A2EC-E0194C37955F}\Paramet
ers : delete Perm. ACE 1 builtin\administrators
SYSTEM\CurrentControlSet\Services\{CBD9838C-BC86-4C69-A2EC-E0194C37955F}\Paramet
ers : new ace for builtin\administrators
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\{CBD9838C-BC86-4C69-A2EC-E0
194C37955F}\Parameters : 2 change(s)
SYSTEM\CurrentControlSet\Services\{CBD9838C-BC86-4C69-A2EC-E0194C37955F}\Paramet
ers\Tcpip : delete Perm. ACE 2 builtin\administrators
SYSTEM\CurrentControlSet\Services\{CBD9838C-BC86-4C69-A2EC-E0194C37955F}\Paramet
ers\Tcpip : new ace for builtin\administrators
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\{CBD9838C-BC86-4C69-A2EC-E0
194C37955F}\Parameters\Tcpip : 2 change(s)
Elapsed Time: 00 00:05:52
Done: 280633, Modified 280627, Failed 6, Syntax errors 0
Last Done : HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\{CBD9838C-BC86
-4C69-A2EC-E0194C37955F}\Parameters\Tcpip
Last Failed: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Win
logon\Credentials - Unexpected disposition in CObjRegKey::InitObj RegCreateKeyEx
. Delete the key please !.. : 5 Access is denied.
I found a very suspisous registry entry, the key HKEY_LOCAL_MACHINE\SAM\SAM with several sub keys that certainly is invalid. Question is just if all the sub keys can be deleted or parts are needed. When comparing with my (uninfected) notebook I only have HKEY_LOCAL_MACHINE\SAM\SAM there with no sub keys. The sub keys all have binary data in it. Here is a shorter sample of a regexport
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SAM\SAM]
"C"=hex:07,00,01,00,00,00,00,00,98,00,00,00,02,00,01,00,01,00,14,80,78,00,00,\
00,88,00,00,00,14,00,00,00,44,00,00,00,02,00,30,00,02,00,00,00,02,c0,14,00,\
0e,00,05,01,01,01,00,00,00,00,00,01,00,00,00,00,02,c0,14,00,ff,ff,1f,00,01,\
01,00,00,00,00,00,05,07,00,00,00,02,00,34,00,02,00,00,00,00,00,14,00,31,00,\
02,00,01,01,00,00,00,00,00,01,00,00,00,00,00,00,18,00,3f,00,0f,00,01,02,00,\
00,00,00,00,05,20,00,00,00,20,02,00,00,01,02,00,00,00,00,00,05,20,00,00,00,\
20,02,00,00,01,02,00,00,00,00,00,05,20,00,00,00,20,02,00,00
[HKEY_LOCAL_MACHINE\SAM\SAM\Domains]
@=hex(0):
[HKEY_LOCAL_MACHINE\SAM\SAM\Domains\Account]
"F"=hex:02,00,01,00,00,00,00,00,5c,24,7c,7e,85,d5,c3,01,82,04,00,00,00,00,00,\
00,00,00,00,00,40,de,ff,ff,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,80,\
00,cc,1d,cf,fb,ff,ff,ff,00,cc,1d,cf,fb,ff,ff,ff,00,00,00,00,00,00,00,00,27,\
04,00,00,00,00,00,00,00,00,00,00,00,00,00,00,01,00,00,00,03,00,00,00,01,00,\
00,00,01,00,01,00,01,00,00,00,38,00,00,00,ee,ef,8c,47,f0,c7,64,99,c9,84,cb,\
90,7c,cb,e6,cb,f1,55,6c,56,a8,8c,58,d0,96,4a,db,08,07,70,cc,8d,bc,5a,d6,68,\
bc,d9,40,79,a5,a6,e6,38,f4,63,69,53,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,01,00,00,00,00,00,00,00
"V"=hex:00,00,00,00,e0,00,00,00,02,00,01,00,e0,00,00,00,18,00,00,00,00,00,00,\
00,f8,00,00,00,00,00,00,00,00,00,00,00,f8,00,00,00,00,00,00,00,00,00,00,00,\
01,00,14,80,c0,00,00,00,d0,00,00,00,14,00,00,00,44,00,00,00,02,00,30,00,02,\
00,00,00,02,c0,14,00,7a,04,05,01,01,01,00,00,00,00,00,01,00,00,00,00,02,c0,\
14,00,ff,ff,1f,00,01,01,00,00,00,00,00,05,07,00,00,00,02,00,7c,00,05,00,00,\
00,00,00,14,00,85,03,02,00,01,01,00,00,00,00,00,01,00,00,00,00,00,00,18,00,\
85,03,02,00,01,02,00,00,00,00,00,05,20,00,00,00,21,02,00,00,00,00,18,00,df,\
07,0f,00,01,02,00,00,00,00,00,05,20,00,00,00,20,02,00,00,00,00,18,00,d5,03,\
02,00,01,02,00,00,00,00,00,05,20,00,00,00,23,02,00,00,00,00,18,00,d5,03,02,\
00,01,02,00,00,00,00,00,05,20,00,00,00,24,02,00,00,01,02,00,00,00,00,00,05,\
20,00,00,00,20,02,00,00,01,02,00,00,00,00,00,05,20,00,00,00,20,02,00,00,01,\
04,00,00,00,00,00,05,15,00,00,00,d5,cb,5c,58,fd,43,46,1e,07,e5,3b,2b
[HKEY_LOCAL_MACHINE\SAM\SAM\Domains\Account\Aliases]
@=hex(6):
Please advice?
steamwiz
2008-02-27, 21:36
Don't touch anything in the SAM key ...
[HKEY_LOCAL_MACHINE\SAM\SAM]
I don't see anything wrong with those sub keys values ( I'm not 100%, but I am 99% sure they are OK) touch them & you may not get into any of your accounts ...
Your notebook shows this only ... [HKEY_LOCAL_MACHINE\SAM]
Because the rest of the key is hidden ...
Do this & you will see a lot more :-
right-click the second SAM Key, choose "Permissions" highlight the "Administrator" and click the "Full Control" box, click "Apply" and "OK", then close and re-open Regedit.
So the keys there really should be hidden then? Well I think I screwed it again then as I did tuch them, and now I cannot boot as I get a lsass.exe system - system error : Object not found. I did export a copy of the keys, and I can get into the recovery console. Is it possible to execute a .reg file there?
damit I am too unpatient!
I managed to get back into safe mode and should now be able to restore registry with my backup. Then what I need is to find where and what make programs think we are in safe mode. There must be some flag or something?
steamwiz
2008-02-28, 00:15
I guess this is too late now ...
Recovery console uses reg.exe
Try this ...
reg import C:\your reg backup file or A:\ if it's on a floppy
You may want to have a look at this for uses of reg.exe in recovery console :-
http://www.resellerratings.com/forum/showpost.php?p=865677&postcount=41
It appear reg is not or no longer a part of RC on XP SP2 CD, but I managed the situation anyhow.
This url helped me to get back into windows
http://www.easydesksoftware.com/news/news36.htm
Then I found I had some old registry backups done with ERUNT, I restored the oldest one although it was since before I got it properly cleaned out. With the infected files gone this shouldn't be a problem and I got back a less "messed by me" registry. I then just booted into safe mode and cleaned up the registry again.
But before I did that I once again run the reset of of permissions (url in earlier post).
I didn't apply your reg fix for authentication though, I checked on my notebook and it looks the same and it hasn't been infected. So this key was obviously not changed by the infection.
To solve the issue where windows always think it's in safe mode I found and removed a key named .../Safeboot/Option in all the controlset keys.
I was then able to reinstall Windows Installer 3.1, and IE7 but WU didn't quite work yet. I found out that the tip I followed before missed a part. here is an url to a more complete solution
http://www.grq.net/windowsupdate.html
I took advantage of the previous tip though by putting the commands into .bat files.
Now WU worked and I got all updates, and I could also install BitDefender and have done a DeepScan that came out clean.
I will do a few more scans, just to be safe, Install my java and Firewall etc. and hope to be back with some final logs tommorow I guess. Well last time kav took 20 hours to scan but it maybe was due to the infection. Deep scan with bitdefender took 6 hours.
So it seem lik I am on the happy side again then :2thumb:
steamwiz
2008-02-29, 00:50
Hi
removing the SafeBoot\Option key/value removes the file security tab ... you may be interested in this :-
http://www.terminally-incoherent.com/blog/2007/07/ ... scroll down nearly to the bottom under heading Adding the File Security Tab in XP Home
Adding the File Security Tab in XP Home
Thursday, July 26th, 2007
If you own XP Home you are probably painfully aware of some of it’s limitations. The home edition of the OS for example won’t let you have a detailed file access control. The security tab where you can give or deny users permissions on given file or folder is simply missing from the properties dialog in this version.
Of course you can still modify file access permissions by using simple workarounds like:
Booting into Safe Mode
Using the cacls command on the command line
Using a 3rd party tool such as ACLView
Patching your system with a untested, unofficial patch.
None of this options is convenient, and the last one is particularly unsafe. While this patch does not have to be malicious, it’s just to easy to slip a rootkit into this type of system file patch.
Today I found yet another solution, while looking for something completely different. Someone at the MSFN forum simply noticed that you can cheat the system into thinking it is in safe mode by tweaking the registry, opted to create two reg files. First one to enable the security tab:
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Option]
"OptionValue"=dword:00000001
And another one to disable it:
Windows Registry Editor Version 5.00
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Option]
The change is instant, and does not require a restart. Why do you need to disable it? Because with that dword in place, your XP will be absolutely convinced that it is running in safe mode, and thus won’t let you run certain software, or perform any installations.
The problem with their solution is that you need to remember to click on the second reg file to restore your registry back to normal. So I decided to improve on it with a little shell script that will add that key, wait for you to finish your file access related tasks, and then remove the key before closing:
@echo off
echo 'Enabling Security Tab'
reg add HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Option /v OptionValue /t REG_DWORD /d 00000001
echo 'Please keep this window open while you use the tab. When done, follow the prompts on the screen.'
pause
reg delete HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Option /f
You simply run this batch script, then leave it open at the prompt, do what you have to do, then go back and hit enter. The key will be automatically removed as the script closes.
Ok but I have XP Pro
One thing I noticed thow is that I only have 2 account types, Administrator and Limited - which is the same as for XP Home, Pro is supposed to have other types as well I think, like Power user etc. ? Can the Bagle have done changes to Registry that make it appear as if I have XP Home? Right clicking My Computer and selecting Properties clearly state I have
System:
Microsoft Windows XP
Professional
Version 2002
Service Pack 2
And yes you are right, if I right click a folder or file and select properties, there is no security tab - I think that's what you mean?
But again, my system is Pro and not Home. My registry is probably screwed up in some way for sure. I hope the file I uploaded with the infector can cast some light on what kind of changes this evil thing really do.
Otherwise system seem to be fine now, although I haven't run many programs yet. Done some scans which have come up clean. Will do a KAV scan now though. I am just a bit fear ful of opening IE as it seem to invite all kinds of evil :fear:
Hi
removing the SafeBoot\Option key/value removes the file security tab ... you may be interested in this :-
http://www.terminally-incoherent.com/blog/2007/07/ ... scroll down nearly to the bottom under heading Adding the File Security Tab in XP Home
Oh by the way, I noticed there is an account not added by me called "ASP.NET Machine A..." but I have a vague idea this once was created by "LogMeIn" which I once tried out but then removed. It's set up as a LUA so should be able to do something bad and I can probably just delete it.
steamwiz
2008-02-29, 17:41
HI
I guess I never asked you if you had home or pro ... FYI I just ran the batch on my XPhome .. works great.
Maybe this is all you need to do to see the security tab in XP Pro
enable Simple File Sharing in Windows XP Professional :-
My Computer >> Tools >> Folder Options >> View >> (scroll to bottom) >> CHECK Use simple file sharing (Recommended)
steam
steamwiz
2008-02-29, 17:45
RE: ASP.NET Machine Account
http://support.microsoft.com/kb/555299